CVE-2006-4340

Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates, a similar vulnerability to CVE-2006-4339. NOTE: on 20061107, Mozilla released an advisory stating that these versions were not completely patched by MFSA2006-60. The newer fixes for 1.5.0.7 are covered by CVE-2006-5462.

Published : 2006-09-15 18:07 Updated : 2018-10-17 21:36

4.0
CVSS Score More info
Score 4.0 / 10
4.0
Vendor Product Version URI
Mozilla Firefox 1.5.0.6 cpe:/a:mozilla:firefox:1.5.0.6
Mozilla Seamonkey 1.0.4 cpe:/a:mozilla:seamonkey:1.0.4
Mozilla Network Security Services 3.11.2 cpe:/a:mozilla:network_security_services:3.11.2
Mozilla Thunderbird 1.5.0.6 cpe:/a:mozilla:thunderbird:1.5.0.6
  1. Mozilla (4) Search CVE
    1. Firefox (1) Search CVE
      1. 1.5.0.6
    2. Thunderbird (1) Search CVE
      1. 1.5.0.6
    3. Network Security Services (1) Search CVE
      1. 3.11.2
    4. Seamonkey (1) Search CVE
      1. 1.0.4

CWE

ID Name Description Links
CWE-20 Improper Input Validation The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. CVE

References

Source Link
SGI ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc
GENTOO http://security.gentoo.org/glsa/glsa-200609-19.xml
GENTOO http://security.gentoo.org/glsa/glsa-200610-01.xml
SECTRACK http://securitytracker.com/id?1016858
SECTRACK http://securitytracker.com/id?1016859
SECTRACK http://securitytracker.com/id?1016860
SUNALERT http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
SUNALERT http://sunsolve.sun.com/search/document.do?assetkey=1-26-102781-1
CONFIRM http://support.avaya.com/elmodocs2/security/ASA-2006-224.htm
CONFIRM http://support.avaya.com/elmodocs2/security/ASA-2006-250.htm
DEBIAN http://www.debian.org/security/2006/dsa-1192
DEBIAN http://www.debian.org/security/2006/dsa-1210
GENTOO http://www.gentoo.org/security/en/glsa/glsa-200610-06.xml
MLIST http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html
MANDRIVA http://www.mandriva.com/security/advisories?name=MDKSA-2006:168
MANDRIVA http://www.mandriva.com/security/advisories?name=MDKSA-2006:169
MISC http://www.matasano.com/log/469/many-rsa-signatures-may-be-forgeable-in-openssl-and-elsewhere/
CONFIRM http://www.mozilla.org/security/announce/2006/mfsa2006-60.html
MISC http://www.mozilla.org/security/announce/2006/mfsa2006-66.html
SUSE http://www.novell.com/linux/security/advisories/2006_54_mozilla.html
SUSE http://www.novell.com/linux/security/advisories/2006_55_ssl.html
REDHAT http://www.redhat.com/support/errata/RHSA-2006-0675.html
REDHAT http://www.redhat.com/support/errata/RHSA-2006-0676.html
REDHAT http://www.redhat.com/support/errata/RHSA-2006-0677.html
UBUNTU http://www.ubuntu.com/usn/usn-350-1
UBUNTU http://www.ubuntu.com/usn/usn-351-1
UBUNTU http://www.ubuntu.com/usn/usn-352-1
UBUNTU http://www.ubuntu.com/usn/usn-354-1
UBUNTU http://www.ubuntu.com/usn/usn-361-1
CERT http://www.us-cert.gov/cas/techalerts/TA06-312A.html
DEBIAN http://www.us.debian.org/security/2006/dsa-1191
VUPEN http://www.vupen.com/english/advisories/2006/3617
VUPEN http://www.vupen.com/english/advisories/2006/3622
VUPEN http://www.vupen.com/english/advisories/2006/3748
VUPEN http://www.vupen.com/english/advisories/2006/3899
VUPEN http://www.vupen.com/english/advisories/2007/0293
VUPEN http://www.vupen.com/english/advisories/2007/1198
VUPEN http://www.vupen.com/english/advisories/2008/0083
CONFIRM https://issues.rpath.com/browse/RPL-640
HP http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00771742
XF https://exchange.xforce.ibmcloud.com/vulnerabilities/30098
BUGTRAQ http://www.securityfocus.com/archive/1/446140/100/0/threaded