CVE-2014-1492

CWE-20 — Improper Input Validation CWE-172 CWE-697 CWE-295 — Improper Certificate Validation10 documents8 sources

Severity

4.3MEDIUM

EPSS

0.8%

top 25.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Network Security Services

Timeline

PublishedMar 25

Latest updateMay 14

Description

The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDmozilla/network_security_services3.15.5+49

▶Debiannss< 2:3.16-1+3

Patches

Patch: hg.mozilla.org ↗Patch: hg.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-fxvw-6w4h-3mx5: The cert_TestHostName function in lib/certdb/certdb↗2022-05-14

▶

CVEList

CVE-2014-1492: The cert_TestHostName function in lib/certdb/certdb↗2014-03-25

▶

OSV

CVE-2014-1492: The cert_TestHostName function in lib/certdb/certdb↗2014-03-25

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2014-04-29

▶

Ubuntu

NSS vulnerability↗2014-04-02

▶

Red Hat

nss: IDNA hostname matching code does not follow RFC 6125 recommendation (MFSA 2014-45)↗2014-03-18

▶

Debian

CVE-2014-1492: nss - The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checkin...↗2014

▶

💬Community

Bugzilla

CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125↗2015-04-08

▶

Bugzilla

CVE-2014-1492 nss: IDNA hostname matching code does not follow RFC 6125 recommendation (MFSA 2014-45)↗2014-03-24

▶