CVE-2014-1491 — Inadequate Encryption Strength in Mozilla Firefox

CWE-326 — Inadequate Encryption Strength CWE-358 — Improperly Implemented Security Check for Standard CWE-366 — Race Condition within a Thread13 documents9 sources

Severity

4.3MEDIUMNVD

EPSS

0.5%

top 32.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla NSS Mozilla Firefox Mozilla Network Security Services +11 more

Timeline

PublishedFeb 6

Latest updateDec 24

Description

Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages11 packages

▶NVDmozilla/network_security_services< 3.15.4

▶NVDmozilla/firefox< 24.3+1

▶NVDmozilla/seamonkey< 2.24

▶NVDmozilla/thunderbird< 24.3.0

▶Debianmozilla/nss< 2:3.15.4-1+3

Also affects: Debian Linux 7.0, 8.0, Fedora 19, 20, Ubuntu Linux 12.04, 12.10, 13.10

Patches

Patch: hg.mozilla.org ↗Patch: bugzilla.mozilla.org ↗Patch: hg.mozilla.org ↗

🔴Vulnerability Details

OSV

macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse↗2025-12-24

▶

GHSA

GHSA-v496-3mj8-fpc6: Mozilla Network Security Services (NSS) before 3↗2022-05-13

▶

OSV

CVE-2014-1491: Mozilla Network Security Services (NSS) before 3↗2014-02-06

▶

CVEList

CVE-2014-1491: Mozilla Network Security Services (NSS) before 3↗2014-02-06

▶

📋Vendor Advisories

Red Hat

kernel: Linux kernel (macintosh/mac_hid): Denial of Service via race condition in mac_hid_toggle_emumouse↗2025-12-24

▶

Ubuntu

Thunderbird vulnerabilities↗2014-02-19

▶

Ubuntu

Firefox vulnerabilities↗2014-02-10

▶

Red Hat

nss: Do not allow p-1 as a public DH value (MFSA 2014-12)↗2014-02-04

▶

Debian

CVE-2014-1491: nss - Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefo...↗2014

▶

💬Community

Bugzilla

Small subgroup attack↗2015-04-30

▶

Bugzilla

CVE-2014-1491 nss: Do not allow p-1 as a public DH value (MFSA 2014-12)↗2014-02-04

▶