CVE-2013-5606

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate.

References

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761

http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00000.html

http://lists.opensuse.org/opensuse-updates/2013-11/msg00080.html

http://rhn.redhat.com/errata/RHSA-2013-1791.html

http://rhn.redhat.com/errata/RHSA-2013-1829.html

http://rhn.redhat.com/errata/RHSA-2014-0041.html

http://seclists.org/fulldisclosure/2014/Dec/23

http://security.gentoo.org/glsa/glsa-201406-19.xml

http://www.debian.org/security/2014/dsa-2994

http://www.mozilla.org/security/announce/2013/mfsa2013-103.html

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

http://www.securityfocus.com/archive/1/534161/100/0/threaded

http://www.securityfocus.com/bid/63737

http://www.ubuntu.com/usn/USN-2030-1

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

https://bugzilla.mozilla.org/show_bug.cgi?id=910438

https://developer.mozilla.org/docs/NSS/NSS_3.15.3_release_notes

https://security.gentoo.org/glsa/201504-01

Details

Source: MITRE

Published: 2013-11-18

Updated: 2018-10-09

Type: CWE-264

Risk Information

CVSS v2

Base Score: 5.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 8.6

Severity: MEDIUM

Tenable Plugins

View all (37 total)

IDNameProductFamilySeverity
127200NewStart CGSL CORE 5.04 / MAIN 5.04 : nss Multiple Vulnerabilities (NS-SA-2019-0033)NessusNewStart CGSL Local Security Checks
high
91747OracleVM 3.2 : nss (OVMSA-2016-0066)NessusOracleVM Local Security Checks
critical
91746OracleVM 3.2 : nspr (OVMSA-2016-0065)NessusOracleVM Local Security Checks
high
82632GLSA-201504-01 : Mozilla Products: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
82171Debian DLA-23-1 : nss security updateNessusDebian Local Security Checks
high
79540OracleVM 3.3 : nss (OVMSA-2014-0023)NessusOracleVM Local Security Checks
high
79538OracleVM 3.3 : nss-util (OVMSA-2014-0015)NessusOracleVM Local Security Checks
high
79537OracleVM 3.3 : nss (OVMSA-2014-0014)NessusOracleVM Local Security Checks
high
78994RHEL 6 : rhev-hypervisor6 (RHSA-2014:0041)NessusRed Hat Local Security Checks
high
78774Oracle OpenSSO Agent Multiple Vulnerabilities (October 2014 CPU)NessusCGI abuses
high
78541Oracle WebLogic Server Multiple Vulnerabilities (October 2014 CPU)NessusMisc.
high
76950Debian DSA-2994-1 : nss - security updateNessusDebian Local Security Checks
high
76938Oracle Traffic Director Multiple Vulnerabilities (July 2014 CPU)NessusMisc.
high
76593Oracle iPlanet Web Server 7.0.x < 7.0.20 Multiple VulnerabilitiesNessusWeb Servers
high
76592Oracle iPlanet Web Proxy Server 4.0 < 4.0.24 Multiple VulnerabilitiesNessusWindows
high
76591Oracle GlassFish Server Multiple Vulnerabilities (July 2014 CPU)NessusWeb Servers
high
76178GLSA-201406-19 : Mozilla Network Security Service: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
71578Amazon Linux AMI : nspr (ALAS-2013-266)NessusAmazon Linux Local Security Checks
high
71577Amazon Linux AMI : nss (ALAS-2013-265)NessusAmazon Linux Local Security Checks
high
71424Scientific Linux Security Update : nss, nspr, and nss-util on SL6.x i386/x86_64 (20131212)NessusScientific Linux Local Security Checks
high
71390RHEL 6 : nss, nspr, and nss-util (RHSA-2013:1829)NessusRed Hat Local Security Checks
high
71388Oracle Linux 6 : nspr / nss / nss-util (ELSA-2013-1829)NessusOracle Linux Local Security Checks
high
71380CentOS 6 : nspr / nss / nss-util (CESA-2013:1829)NessusCentOS Local Security Checks
high
71306Scientific Linux Security Update : nss and nspr on SL5.x i386/x86_64 (20131205)NessusScientific Linux Local Security Checks
high
71243RHEL 5 : nss and nspr (RHSA-2013:1791)NessusRed Hat Local Security Checks
high
71241Oracle Linux 5 : nspr / nss (ELSA-2013-1791)NessusOracle Linux Local Security Checks
high
71237CentOS 5 : nspr / nss (CESA-2013:1791)NessusCentOS Local Security Checks
high
71172SuSE 11.2 / 11.3 Security Update : mozilla-nspr, mozilla-nss (SAT Patch Numbers 8572 / 8573)NessusSuSE Local Security Checks
high
71045Mozilla Thunderbird < 24.1.1 NSS and NSPR Multiple VulnerabilitiesNessusWindows
high
71043Thunderbird < 24.1 NSS and NSPR Multiple Vulnerabilities (Mac OS X)NessusMacOS X Local Security Checks
high
70998Mandriva Linux Security Advisory : nss (MDVSA-2013:270)NessusMandriva Local Security Checks
high
70962Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 / 13.10 : nss vulnerabilities (USN-2030-1)NessusUbuntu Local Security Checks
high
70950SeaMonkey < 2.22.1 NSS and NSPR Multiple VulnerabilitiesNessusWindows
high
70949Firefox < 25.0.1 NSS and NSPR Multiple VulnerabilitiesNessusWindows
high
70948Firefox ESR 24.x < 24.1.1 NSS and NSPR Multiple VulnerabilitiesNessusWindows
high
70946Firefox < 25.0.1 NSS and NSPR Multiple Vulnerabilities (Mac OS X)NessusMacOS X Local Security Checks
high
70945Firefox ESR 24.x < 24.1.1 NSS and NSPR Multiple Vulnerabilities (Mac OS X)NessusMacOS X Local Security Checks
high