CVE-2014-1492

Published: Mar 25, 2014Modified: May 6, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

Affected (50)

Products: Mozilla: Network Security Services

1 product

Network Security Services

Configuration A

50 vulnerable

Vulnerable Software	Affected Versions
Mozilla Network Security Services	Up to 3.15.5
Mozilla Network Security Services	Version 3.11.2
Mozilla Network Security Services	Version 3.11.3
Mozilla Network Security Services	Version 3.11.4
Mozilla Network Security Services	Version 3.11.5
Mozilla Network Security Services	Version 3.12.10
Mozilla Network Security Services	Version 3.12.11
Mozilla Network Security Services	Version 3.12.1
Mozilla Network Security Services	Version 3.12.2
Mozilla Network Security Services	Version 3.12.3.1
Mozilla Network Security Services	Version 3.12.3.2
Mozilla Network Security Services	Version 3.12.3
Mozilla Network Security Services	Version 3.12.4
Mozilla Network Security Services	Version 3.12.5
Mozilla Network Security Services	Version 3.12.6
Mozilla Network Security Services	Version 3.12.7
Mozilla Network Security Services	Version 3.12.8
Mozilla Network Security Services	Version 3.12.9
Mozilla Network Security Services	Version 3.12
Mozilla Network Security Services	Version 3.14.1
Mozilla Network Security Services	Version 3.14.2
Mozilla Network Security Services	Version 3.14.3
Mozilla Network Security Services	Version 3.14.4
Mozilla Network Security Services	Version 3.14.5
Mozilla Network Security Services	Version 3.14
Mozilla Network Security Services	Version 3.15.1
Mozilla Network Security Services	Version 3.15.2
Mozilla Network Security Services	Version 3.15.3.1
Mozilla Network Security Services	Version 3.15.3
Mozilla Network Security Services	Version 3.15.4
Mozilla Network Security Services	Version 3.15
Mozilla Network Security Services	Version 3.2.1
Mozilla Network Security Services	Version 3.2
Mozilla Network Security Services	Version 3.3.1
Mozilla Network Security Services	Version 3.3.2
Mozilla Network Security Services	Version 3.3
Mozilla Network Security Services	Version 3.4.1
Mozilla Network Security Services	Version 3.4.2
Mozilla Network Security Services	Version 3.4
Mozilla Network Security Services	Version 3.5
Mozilla Network Security Services	Version 3.6.1
Mozilla Network Security Services	Version 3.6
Mozilla Network Security Services	Version 3.7.1
Mozilla Network Security Services	Version 3.7.2
Mozilla Network Security Services	Version 3.7.3
Mozilla Network Security Services	Version 3.7.5
Mozilla Network Security Services	Version 3.7.7
Mozilla Network Security Services	Version 3.7
Mozilla Network Security Services	Version 3.8
Mozilla Network Security Services	Version 3.9

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (54)

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761

Source: security@mozilla.org

http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132437.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00006.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00015.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-updates/2014-05/msg00010.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-updates/2014-05/msg00033.html

Source: security@mozilla.org

http://seclists.org/fulldisclosure/2014/Dec/23

Source: security@mozilla.org

http://secunia.com/advisories/59866

Source: security@mozilla.org

http://secunia.com/advisories/60621

Source: security@mozilla.org

http://secunia.com/advisories/60794

Source: security@mozilla.org

http://www.debian.org/security/2014/dsa-2994

Source: security@mozilla.org

http://www.mozilla.org/security/announce/2014/mfsa2014-45.html

Source: security@mozilla.org

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Source: security@mozilla.org

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

Source: security@mozilla.org

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

Source: security@mozilla.org

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Source: security@mozilla.org

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

Source: security@mozilla.org

http://www.securityfocus.com/archive/1/534161/100/0/threaded

Source: security@mozilla.org

http://www.securityfocus.com/bid/66356

Source: security@mozilla.org

http://www.ubuntu.com/usn/USN-2159-1

Source: security@mozilla.org

http://www.ubuntu.com/usn/USN-2185-1

Source: security@mozilla.org

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

Source: security@mozilla.org

https://bugzilla.mozilla.org/show_bug.cgi?id=903885

Source: security@mozilla.org

https://bugzilla.redhat.com/show_bug.cgi?id=1079851

Source: security@mozilla.org

https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes

Source: security@mozilla.org

https://hg.mozilla.org/projects/nss/rev/709d4e597979

Source: security@mozilla.org

ExploitPatch

https://security.gentoo.org/glsa/201504-01

Source: security@mozilla.org

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132437.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00006.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00015.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-updates/2014-05/msg00010.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-updates/2014-05/msg00033.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/fulldisclosure/2014/Dec/23

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/59866

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/60621

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/60794

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2014/dsa-2994

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.mozilla.org/security/announce/2014/mfsa2014-45.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/archive/1/534161/100/0/threaded

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/66356

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ubuntu.com/usn/USN-2159-1

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ubuntu.com/usn/USN-2185-1

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.mozilla.org/show_bug.cgi?id=903885

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=1079851

Source: af854a3a-2127-422b-91ae-364da2661108

https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes

Source: af854a3a-2127-422b-91ae-364da2661108

https://hg.mozilla.org/projects/nss/rev/709d4e597979

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatch

https://security.gentoo.org/glsa/201504-01

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.