CVE-2014-1490

CWE-362Race ConditionCWE-367CWE-416Use After Free9 documents8 sources
Severity
9.3CRITICAL
EPSS
1.6%
top 18.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
Mozilla FirefoxMozilla Network Security ServicesMozilla Seamonkey+10 more
Timeline
PublishedFeb 6
Latest updateMay 13

Description

Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages11 packages

NVDmozilla/firefox< 24.3+1
NVDmozilla/seamonkey< 2.24
NVDmozilla/thunderbird< 24.3.0

Also affects: Debian Linux 7.0, Fedora 19, 20, Ubuntu Linux 12.04, 12.10, 13.10

Patches

Patch: bugzilla.mozilla.orgPatch: bugzilla.mozilla.orgPatch: bugzilla.mozilla.org

🔴Vulnerability Details

3
GHSA
GHSA-68r6-xqmg-xhxx: Race condition in libssl in Mozilla Network Security Services (NSS) before 32022-05-13
OSV
CVE-2014-1490: Race condition in libssl in Mozilla Network Security Services (NSS) before 32014-02-06
CVEList
CVE-2014-1490: Race condition in libssl in Mozilla Network Security Services (NSS) before 32014-02-06

📋Vendor Advisories

4
Ubuntu
Thunderbird vulnerabilities2014-02-19
Ubuntu
Firefox vulnerabilities2014-02-10
Red Hat
nss: TOCTOU, potential use-after-free in libssl's session ticket processing (MFSA 2014-12)2014-02-04
Debian
CVE-2014-1490: nss - Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15....2014

💬Community

1
Bugzilla
CVE-2014-1490 nss: TOCTOU, potential use-after-free in libssl's session ticket processing (MFSA 2014-12)2014-02-04
CVE-2014-1490 (CRITICAL CVSS 9.3) | Race condition in libssl in Mozilla | cvebase.io