CVE-2013-1740

CWE-3109 documents8 sources

Severity

5.8MEDIUM

EPSS

1.0%

top 23.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Network Security Services

Timeline

PublishedJan 18

Latest updateMay 14

Description

The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages2 packages

▶NVDmozilla/network_security_services3.15.3+46

▶Debiannss< 2:3.15.4-1+3

🔴Vulnerability Details

GHSA

GHSA-26rr-whcg-5f4g: The ssl_Do1stHandshake function in sslsecur↗2022-05-14

▶

CVEList

CVE-2013-1740: The ssl_Do1stHandshake function in sslsecur↗2014-01-18

▶

OSV

CVE-2013-1740: The ssl_Do1stHandshake function in sslsecur↗2014-01-18

▶

📋Vendor Advisories

Ubuntu

NSS vulnerability↗2014-01-23

▶

Red Hat

nss: false start PR_Recv information disclosure security issue↗2014-01-05

▶

Debian

CVE-2013-1740: nss - The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Secur...↗2013

▶

💬Community

Bugzilla

CVE-2013-1740 nss: false start PR_Recv information disclosure security issue [fedora-all]↗2014-01-16

▶

Bugzilla

CVE-2013-1740 nss: false start PR_Recv information disclosure security issue↗2014-01-15

▶