CVE-2014-1492

The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

Published : 2014-03-25 13:25 Updated : 2018-10-09 19:42

4.3
CVSS Score More info
Score 4.3 / 10
4.3
Vendor Product Version URI
Mozilla Network Security Services 3.12.11 cpe:/a:mozilla:network_security_services:3.12.11
Mozilla Network Security Services 3.12.10 cpe:/a:mozilla:network_security_services:3.12.10
Mozilla Network Security Services 3.15.3.1 cpe:/a:mozilla:network_security_services:3.15.3.1
Mozilla Network Security Services 3.6.1 cpe:/a:mozilla:network_security_services:3.6.1
Mozilla Network Security Services 3.4.1 cpe:/a:mozilla:network_security_services:3.4.1
Mozilla Network Security Services 3.4.2 cpe:/a:mozilla:network_security_services:3.4.2
Mozilla Network Security Services 3.2.1 cpe:/a:mozilla:network_security_services:3.2.1
Mozilla Network Security Services 3.12.1 cpe:/a:mozilla:network_security_services:3.12.1
Mozilla Network Security Services 3.3.1 cpe:/a:mozilla:network_security_services:3.3.1
Mozilla Network Security Services 3.12.7 cpe:/a:mozilla:network_security_services:3.12.7
Mozilla Network Security Services 3.14.5 cpe:/a:mozilla:network_security_services:3.14.5
Mozilla Network Security Services 3.7 cpe:/a:mozilla:network_security_services:3.7
Mozilla Network Security Services 3.12.4 cpe:/a:mozilla:network_security_services:3.12.4
Mozilla Network Security Services 3.14.2 cpe:/a:mozilla:network_security_services:3.14.2
Mozilla Network Security Services 3.12.9 cpe:/a:mozilla:network_security_services:3.12.9
Mozilla Network Security Services 3.5 cpe:/a:mozilla:network_security_services:3.5
Mozilla Network Security Services 3.12.6 cpe:/a:mozilla:network_security_services:3.12.6
Mozilla Network Security Services 3.14.4 cpe:/a:mozilla:network_security_services:3.14.4
Mozilla Network Security Services 3.8 cpe:/a:mozilla:network_security_services:3.8
Mozilla Network Security Services 3.12.8 cpe:/a:mozilla:network_security_services:3.12.8
Mozilla Network Security Services 3.9 cpe:/a:mozilla:network_security_services:3.9
Mozilla Network Security Services 3.12.3.2 cpe:/a:mozilla:network_security_services:3.12.3.2
Mozilla Network Security Services 3.12.3.1 cpe:/a:mozilla:network_security_services:3.12.3.1
Mozilla Network Security Services 3.12.3 cpe:/a:mozilla:network_security_services:3.12.3
Mozilla Network Security Services 3.14.1 cpe:/a:mozilla:network_security_services:3.14.1
Mozilla Network Security Services 3.12.5 cpe:/a:mozilla:network_security_services:3.12.5
Mozilla Network Security Services 3.14.3 cpe:/a:mozilla:network_security_services:3.14.3
Mozilla Network Security Services 3.12.2 cpe:/a:mozilla:network_security_services:3.12.2
Mozilla Network Security Services 3.14 cpe:/a:mozilla:network_security_services:3.14
Mozilla Network Security Services 3.15 cpe:/a:mozilla:network_security_services:3.15
Mozilla Network Security Services 3.12 cpe:/a:mozilla:network_security_services:3.12
Mozilla Network Security Services 3.2 cpe:/a:mozilla:network_security_services:3.2
Mozilla Network Security Services 3.3 cpe:/a:mozilla:network_security_services:3.3
Mozilla Network Security Services 3.6 cpe:/a:mozilla:network_security_services:3.6
Mozilla Network Security Services 3.4 cpe:/a:mozilla:network_security_services:3.4
Mozilla Network Security Services 3.7.1 cpe:/a:mozilla:network_security_services:3.7.1
Mozilla Network Security Services 3.3.2 cpe:/a:mozilla:network_security_services:3.3.2
Mozilla Network Security Services 3.11.2 cpe:/a:mozilla:network_security_services:3.11.2
Mozilla Network Security Services 3.15.4 cpe:/a:mozilla:network_security_services:3.15.4
Mozilla Network Security Services 3.7.5 cpe:/a:mozilla:network_security_services:3.7.5
Mozilla Network Security Services 3.11.5 cpe:/a:mozilla:network_security_services:3.11.5
Mozilla Network Security Services 3.15.1 cpe:/a:mozilla:network_security_services:3.15.1
Mozilla Network Security Services 3.7.2 cpe:/a:mozilla:network_security_services:3.7.2
Mozilla Network Security Services 3.7.3 cpe:/a:mozilla:network_security_services:3.7.3
Mozilla Network Security Services 3.15.3 cpe:/a:mozilla:network_security_services:3.15.3
Mozilla Network Security Services 3.15.5 cpe:/a:mozilla:network_security_services:3.15.5
Mozilla Network Security Services 3.11.4 cpe:/a:mozilla:network_security_services:3.11.4
Mozilla Network Security Services 3.15.2 cpe:/a:mozilla:network_security_services:3.15.2
Mozilla Network Security Services 3.7.7 cpe:/a:mozilla:network_security_services:3.7.7
Mozilla Network Security Services 3.11.3 cpe:/a:mozilla:network_security_services:3.11.3
  1. Mozilla (1) Search CVE
    1. Network Security Services (50) Search CVE
      1. 3.12.11
      2. 3.12.10
      3. 3.15.3.1
      4. 3.6.1
      5. 3.4.1
      6. 3.4.2
      7. 3.2.1
      8. 3.12.1
      9. 3.3.1
      10. 3.12.7
      11. 3.14.5
      12. 3.7
      13. 3.12.4
      14. 3.14.2
      15. 3.12.9
      16. 3.5
      17. 3.12.6
      18. 3.14.4
      19. 3.8
      20. 3.12.8
      21. 3.9
      22. 3.12.3.2
      23. 3.12.3.1
      24. 3.12.3
      25. 3.14.1
      26. 3.12.5
      27. 3.14.3
      28. 3.12.2
      29. 3.14
      30. 3.15
      31. 3.12
      32. 3.2
      33. 3.3
      34. 3.6
      35. 3.4
      36. 3.7.1
      37. 3.3.2
      38. 3.11.2
      39. 3.15.4
      40. 3.7.5
      41. 3.11.5
      42. 3.15.1
      43. 3.7.2
      44. 3.7.3
      45. 3.15.3
      46. 3.15.5
      47. 3.11.4
      48. 3.15.2
      49. 3.7.7
      50. 3.11.3

CWE

ID Name Description Links
CWE-20 Improper Input Validation The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. CVE

References

Source Link
CONFIRM http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
FEDORA http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132437.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00006.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00015.html
SUSE http://lists.opensuse.org/opensuse-updates/2014-05/msg00010.html
SUSE http://lists.opensuse.org/opensuse-updates/2014-05/msg00033.html
FULLDISC http://seclists.org/fulldisclosure/2014/Dec/23
SECUNIA http://secunia.com/advisories/60621
SECUNIA http://secunia.com/advisories/60794
DEBIAN http://www.debian.org/security/2014/dsa-2994
CONFIRM http://www.mozilla.org/security/announce/2014/mfsa2014-45.html
CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
CONFIRM http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
CONFIRM http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
BID http://www.securityfocus.com/bid/66356
UBUNTU http://www.ubuntu.com/usn/USN-2159-1
UBUNTU http://www.ubuntu.com/usn/USN-2185-1
CONFIRM http://www.vmware.com/security/advisories/VMSA-2014-0012.html
CONFIRM https://bugzilla.mozilla.org/show_bug.cgi?id=903885
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1079851
CONFIRM https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes
CONFIRM https://hg.mozilla.org/projects/nss/rev/709d4e597979
GENTOO https://security.gentoo.org/glsa/201504-01
CONFIRM http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
BUGTRAQ http://www.securityfocus.com/archive/1/534161/100/0/threaded