CVE-2011-3640 — Untrusted Search Path in Google Chrome

CWE-426 — Untrusted Search Path6 documents6 sources

Severity

7.1HIGHNVD

EPSS

0.3%

top 43.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla NSS Google Chrome Debian NSS

Timeline

PublishedOct 28

Latest updateMay 13

Description

Untrusted search path vulnerability in Mozilla Network Security Services (NSS), as used in Google Chrome before 17 on Windows and Mac OS X, might allow local users to gain privileges via a Trojan horse pkcs11.txt file in a top-level directory. NOTE: the vendor's response was "Strange behavior, but we're not treating this as a security bug."

CVSS vector

AV:N/AC:H/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages3 packages

▶NVDgoogle/chrome< 17.0

▶Debianmozilla/nss< 3.13.1.with.ckbi.1.88-1+3

▶debiandebian/nss< nss 3.13.1.with.ckbi.1.88-1 (bookworm)

Patches

Patch: code.google.com ↗Patch: bugzilla.mozilla.org ↗Patch: code.google.com ↗

🔴Vulnerability Details

GHSA

GHSA-75w4-cpff-gxx5: ** DISPUTED ** Untrusted search path vulnerability in Mozilla Network Security Services (NSS), as used in Google Chrome before 17 on Windows and Mac O↗2022-05-13

▶

OSV

CVE-2011-3640: Untrusted search path vulnerability in Mozilla Network Security Services (NSS), as used in Google Chrome before 17 on Windows and Mac OS X, might allo↗2011-10-28

▶

📋Vendor Advisories

Red Hat

nss: /pkcs11.txt and /secmod.db files read on initialization↗2011-09-23

▶

Debian

CVE-2011-3640: nss - Untrusted search path vulnerability in Mozilla Network Security Services (NSS), ...↗2011

▶

💬Community

Bugzilla

CVE-2011-3640 nss: /pkcs11.txt and /secmod.db files read on initialization↗2011-10-24

▶