CVE-2014-1491

Mozilla Network Security Services < 3.15.4 - Inadequate Encryption Strength in Diffie-Hellman Key Exchange

Title source: llm
STIX 2.1

Description

Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.

References (32)

Core 32
Core References
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2119-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1029721
Patch, Vendor Advisory x_refsource_confirm
http://hg.mozilla.org/projects/nss/rev/12c42006aed8
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/90886
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1029717
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-2994
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/65332
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/56922
Exploit, Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=934545
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1029720
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/56858
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-2858
Not Applicable mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/534161/100/0/threaded
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2102-2
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201504-01
Third Party Advisory, Vendor Advisory x_refsource_confirm
http://www.mozilla.org/security/announce/2014/mfsa2014-12.html
Third Party Advisory x_refsource_confirm
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
Not Applicable mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Dec/23
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/56888
Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129218.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.html
Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127966.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2102-1

Scores

EPSS 0.0053
EPSS Percentile 67.4%

Details

CWE
CWE-326
Status published
Products (22)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 12.10
canonical/ubuntu_linux 13.10
debian/debian_linux 7.0
debian/debian_linux 8.0
fedoraproject/fedora 19
fedoraproject/fedora 20
mozilla/firefox < 24.3
mozilla/network_security_services < 3.15.4
mozilla/seamonkey < 2.24
... and 12 more
Published Feb 06, 2014
Tracked Since Feb 18, 2026