CVE-2013-5606

CWE-2649 documents8 sources
Severity
5.8MEDIUM
EPSS
0.7%
top 28.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Network Security Services
Timeline
PublishedNov 18
Latest updateMay 14

Description

The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages2 packages

NVDmozilla/network_security_services3.15, 3.15.1, 3.15.2+2
Debiannss< 2:3.15.3-1+3

🔴Vulnerability Details

3
GHSA
GHSA-mphq-fg36-pppm: The CERT_VerifyCert function in lib/certhigh/certvfy2022-05-14
OSV
CVE-2013-5606: The CERT_VerifyCert function in lib/certhigh/certvfy2013-11-18
CVEList
CVE-2013-5606: The CERT_VerifyCert function in lib/certhigh/certvfy2013-11-16

📋Vendor Advisories

3
Red Hat
nss: CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates (MFSA 2013-103)2013-11-19
Ubuntu
NSS vulnerabilities2013-11-18
Debian
CVE-2013-5606: nss - The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Securi...2013

💬Community

2
Bugzilla
CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws [fedora-all]2013-11-19
Bugzilla
CVE-2013-5606 nss: CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates (MFSA 2013-103)2013-11-18
CVE-2013-5606 (MEDIUM CVSS 5.8) | The CERT_VerifyCert function in lib | cvebase.io