CVE-2014-1569

13 documents8 sources

Severity

7.5HIGH

EPSS

3.6%

top 12.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Network Security Services

Timeline

PublishedDec 15

Latest updateMay 17

Description

The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶NVDmozilla/network_security_services3.16.2.3+6

▶Debiannss< 2:3.17.2-1.1+3

🔴Vulnerability Details

GHSA

GHSA-r84h-wf26-r7jw: The definite_length_decoder function in lib/util/quickder↗2022-05-17

▶

OSV

icu vulnerabilities↗2015-03-05

▶

OSV

CVE-2014-1569: The definite_length_decoder function in lib/util/quickder↗2014-12-15

▶

CVEList

CVE-2014-1569: The definite_length_decoder function in lib/util/quickder↗2014-12-15

▶

📋Vendor Advisories

Ubuntu

NSS vulnerability↗2015-01-07

▶

Red Hat

nss: QuickDER decoder length issue↗2014-12-01

▶

Debian

CVE-2014-1569: nss - The definite_length_decoder function in lib/util/quickder.c in Mozilla Network S...↗2014

▶

💬Community

Bugzilla

CVE-2014-1569 nss: QuickDER decoder length issue [fedora-all]↗2014-12-15

▶

Bugzilla

CVE-2014-1569 nss: QuickDER decoder length issue↗2014-12-15

▶