CVE-2014-1498 — Improper Verification of Cryptographic Signature in Mozilla Firefox

CWE-347 — Improper Verification of Cryptographic Signature7 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

0.5%

top 32.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

8

Mozilla Firefox Mozilla Seamonkey Opensuse +5 more

Timeline

PublishedMar 19

Latest updateMay 13

Description

The crypto.generateCRMFRequest method in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 does not properly validate a certain key type, which allows remote attackers to cause a denial of service (application crash) via vectors that trigger generation of a key that supports the Elliptic Curve ec-dual-use algorithm.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages8 packages

▶NVDmozilla/firefox< 28.0

▶NVDmozilla/seamonkey< 2.25

▶NVDoracle/solaris11.3

▶NVDopensuse/opensuse13.1

▶NVDopensuse_project/opensuse11.4, 12.3+1

🔴Vulnerability Details

2

GHSA

GHSA-6r88-384v-fg82: The crypto↗2022-05-13

▶

CVEList

CVE-2014-1498: The crypto↗2014-03-19

▶

📋Vendor Advisories

2

Red Hat

Mozilla: crypto.generateCRMFRequest does not validate type of key (MFSA 2014-18)↗2014-03-18

▶

Ubuntu

Firefox vulnerabilities↗2014-03-18

▶

💬Community

2

Bugzilla

CVE-2015-2328 pcre: infinite recursion compiling pattern with recursive reference in a group with indefinite repeat (8.36/20)↗2015-11-25

▶

Bugzilla

CVE-2014-1498 Mozilla: crypto.generateCRMFRequest does not validate type of key (MFSA 2014-18)↗2014-03-17

▶

CVE-2014-1498 — Mozilla Firefox vulnerability | cvebase