{"containers": {"cna": {"affected": [{"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "52.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "45.9", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "52.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "53", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2017-05-10T00:00:00", "descriptions": [{"lang": "en", "value": "Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations."}], "problemTypes": [{"descriptions": [{"description": "Out-of-bounds write in Base64 encoding in NSS", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-20T22:53:05", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"name": "GLSA-201705-04", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201705-04"}, {"name": "98050", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/98050"}, {"name": "RHSA-2017:1103", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1103"}, {"name": "DSA-3831", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3831"}, {"name": "RHSA-2017:1100", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1100"}, {"name": "RHSA-2017:1102", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1102"}, {"name": "RHSA-2017:1101", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1101"}, {"name": "DSA-3872", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3872"}, {"name": "1038320", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1038320"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21.4_release_notes"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.29.5_release_notes"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28.4_release_notes"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/#CVE-2017-5461"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/#CVE-2017-5461"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1344380"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/#CVE-2017-5461"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2017-5461", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Thunderbird", "version": {"version_data": [{"version_affected": "<", "version_value": "52.1"}]}}, {"product_name": "Firefox ESR", "version": {"version_data": [{"version_affected": "<", "version_value": "45.9"}, {"version_affected": "<", "version_value": "52.1"}]}}, {"product_name": "Firefox", "version": {"version_data": [{"version_affected": "<", "version_value": "53"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Out-of-bounds write in Base64 encoding in NSS"}]}]}, "references": {"reference_data": [{"name": "GLSA-201705-04", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201705-04"}, {"name": "98050", "refsource": "BID", "url": "http://www.securityfocus.com/bid/98050"}, {"name": "RHSA-2017:1103", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1103"}, {"name": "DSA-3831", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3831"}, {"name": "RHSA-2017:1100", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1100"}, {"name": "RHSA-2017:1102", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1102"}, {"name": "RHSA-2017:1101", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1101"}, {"name": "DSA-3872", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3872"}, {"name": "1038320", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1038320"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21.4_release_notes", "refsource": "CONFIRM", "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21.4_release_notes"}, {"name": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes", "refsource": "CONFIRM", "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes"}, {"name": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.29.5_release_notes", "refsource": "CONFIRM", "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.29.5_release_notes"}, {"name": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28.4_release_notes", "refsource": "CONFIRM", "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28.4_release_notes"}, {"name": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/#CVE-2017-5461", "refsource": "CONFIRM", "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/#CVE-2017-5461"}, {"name": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461", "refsource": "CONFIRM", "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461"}, {"name": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/#CVE-2017-5461", "refsource": "CONFIRM", "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/#CVE-2017-5461"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1344380", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1344380"}, {"name": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/#CVE-2017-5461", "refsource": "CONFIRM", "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/#CVE-2017-5461"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:04:14.289Z"}, "title": "CVE Program Container", "references": [{"name": "GLSA-201705-04", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201705-04"}, {"name": "98050", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/98050"}, {"name": "RHSA-2017:1103", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1103"}, {"name": "DSA-3831", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2017/dsa-3831"}, {"name": "RHSA-2017:1100", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1100"}, {"name": "RHSA-2017:1102", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1102"}, {"name": "RHSA-2017:1101", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1101"}, {"name": "DSA-3872", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2017/dsa-3872"}, {"name": "1038320", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1038320"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21.4_release_notes"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.29.5_release_notes"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28.4_release_notes"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/#CVE-2017-5461"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/#CVE-2017-5461"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1344380"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/#CVE-2017-5461"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2017-5461", "datePublished": "2017-05-11T01:00:00", "dateReserved": "2017-01-13T00:00:00", "dateUpdated": "2024-08-05T15:04:14.289Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*", "matchCriteriaId": "10B03F76-10F8-436D-93FC-E031766157B6", "versionEndExcluding": "3.21.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*", "matchCriteriaId": "35AB5F66-C087-4C44-81C9-C153C69C57E5", "versionEndExcluding": "3.28.4", "versionStartExcluding": "3.22", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*", "matchCriteriaId": "7CBCF5DE-F055-463F-BB92-7ECD14E18BC6", "versionEndExcluding": "3.29.5", "versionStartIncluding": "3.29", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5514E06-CE37-41E6-AD9E-19396DBB9702", "versionEndExcluding": "3.30.1", "versionStartIncluding": "3.30", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations."}, {"lang": "es", "value": "Los servicios de Seguridad de Red de Mozilla (Network Security Services o NSS) en versiones anteriores a la 3.21.4, versiones de las 3.22.x a las 3.28.x anteriores a la 3.28.4, versiones 3.29.x anteriores a la 3.29.5 y versiones 3.30.x anteriores a la 3.30.1 permiten que atacantes remotos provoquen una denegaci\u00f3n de servicio (escritura fuera de l\u00edmites) o que, probablemente, causen otro impacto no especificado aprovechando operaciones en base64 incorrectas."}], "id": "CVE-2017-5461", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-05-11T01:29:05.807", "references": [{"source": "security@mozilla.org", "tags": ["Patch"], "url": "http://www.debian.org/security/2017/dsa-3831"}, {"source": "security@mozilla.org", "tags": ["Patch"], "url": "http://www.debian.org/security/2017/dsa-3872"}, {"source": "security@mozilla.org", "tags": ["Patch"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}, {"source": "security@mozilla.org", "tags": ["Patch"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/98050"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1038320"}, {"source": "security@mozilla.org", "tags": ["Patch"], "url": "https://access.redhat.com/errata/RHSA-2017:1100"}, {"source": "security@mozilla.org", "tags": ["Patch"], "url": "https://access.redhat.com/errata/RHSA-2017:1101"}, {"source": "security@mozilla.org", "tags": ["Patch"], "url": "https://access.redhat.com/errata/RHSA-2017:1102"}, {"source": "security@mozilla.org", "tags": ["Patch"], "url": "https://access.redhat.com/errata/RHSA-2017:1103"}, {"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1344380"}, {"source": "security@mozilla.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21.4_release_notes"}, {"source": "security@mozilla.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28.4_release_notes"}, {"source": "security@mozilla.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.29.5_release_notes"}, {"source": "security@mozilla.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201705-04"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/#CVE-2017-5461"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/#CVE-2017-5461"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/#CVE-2017-5461"}, {"source": "security@mozilla.org", "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.debian.org/security/2017/dsa-3831"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.debian.org/security/2017/dsa-3872"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/98050"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1038320"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://access.redhat.com/errata/RHSA-2017:1100"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://access.redhat.com/errata/RHSA-2017:1101"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://access.redhat.com/errata/RHSA-2017:1102"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://access.redhat.com/errata/RHSA-2017:1103"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1344380"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21.4_release_notes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28.4_release_notes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.29.5_release_notes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201705-04"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/#CVE-2017-5461"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/#CVE-2017-5461"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/#CVE-2017-5461"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Ronald Crane as the original reporter.", "affected_release": [{"advisory": "RHSA-2017:1103", "cpe": "cpe:/o:redhat:rhel_aus:5.9", "package": "nss-0:3.14.3-11.el5_9", "product_name": "Red Hat Enterprise Linux 5.9 Long Life", "release_date": "2017-04-20T00:00:00Z"}, {"advisory": "RHSA-2017:1101", "cpe": "cpe:/o:redhat:rhel_els:5", "package": "nss-0:3.21.4-1.el5_11", "product_name": "Red Hat Enterprise Linux 5 Extended Lifecycle Support", "release_date": "2017-04-20T00:00:00Z"}, {"advisory": "RHSA-2017:1100", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "nss-0:3.28.4-1.el6_9", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2017-04-20T00:00:00Z"}, {"advisory": "RHSA-2017:1100", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "nss-util-0:3.28.4-1.el6_9", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2017-04-20T00:00:00Z"}, {"advisory": "RHSA-2017:1102", "cpe": "cpe:/o:redhat:rhel_mission_critical:6.2", "package": "nss-util-0:3.13.1-11.el6_2", "product_name": "Red Hat Enterprise Linux 6.2 Advanced Update Support", "release_date": "2017-04-20T00:00:00Z"}, {"advisory": "RHSA-2017:1102", "cpe": "cpe:/o:redhat:rhel_aus:6.4", "package": "nss-util-0:3.14.3-9.el6_4", "product_name": "Red Hat Enterprise Linux 6.4 Advanced Update Support", "release_date": "2017-04-20T00:00:00Z"}, {"advisory": "RHSA-2017:1102", "cpe": "cpe:/o:redhat:rhel_aus:6.5", "package": "nss-util-0:3.16.1-5.el6_5", "product_name": "Red Hat Enterprise Linux 6.5 Advanced Update Support", "release_date": "2017-04-20T00:00:00Z"}, {"advisory": "RHSA-2017:1102", "cpe": "cpe:/o:redhat:rhel_tus:6.5", "package": "nss-util-0:3.16.1-5.el6_5", "product_name": "Red Hat Enterprise Linux 6.5 Telco Extended Update Support", "release_date": "2017-04-20T00:00:00Z"}, {"advisory": "RHSA-2017:1102", "cpe": "cpe:/o:redhat:rhel_aus:6.6", "package": "nss-util-0:3.19.1-4.el6_6", "product_name": "Red Hat Enterprise Linux 6.6 Advanced Update Support", "release_date": "2017-04-20T00:00:00Z"}, {"advisory": "RHSA-2017:1102", "cpe": "cpe:/o:redhat:rhel_tus:6.6", "package": "nss-util-0:3.19.1-4.el6_6", "product_name": "Red Hat Enterprise Linux 6.6 Telco Extended Update Support", "release_date": "2017-04-20T00:00:00Z"}, {"advisory": "RHSA-2017:1102", "cpe": "cpe:/o:redhat:rhel_eus:6.7", "package": "nss-util-0:3.21.4-1.el6_7", "product_name": "Red Hat Enterprise Linux 6.7 Extended Update Support", "release_date": "2017-04-20T00:00:00Z"}, {"advisory": "RHSA-2017:1100", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "nss-0:3.28.4-1.0.el7_3", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-04-20T00:00:00Z"}, {"advisory": "RHSA-2017:1100", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "nss-util-0:3.28.4-1.0.el7_3", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-04-20T00:00:00Z"}, {"advisory": "RHSA-2017:1102", "cpe": "cpe:/o:redhat:rhel_eus:7.2", "package": "nss-util-0:3.21.4-1.el7_2", "product_name": "Red Hat Enterprise Linux 7.2 Extended Update Support", "release_date": "2017-04-20T00:00:00Z"}], "bugzilla": {"description": "nss: Write beyond bounds caused by bugs in Base64 de/encoding in nssb64d.c and nssb64e.c (MFSA 2017-10)", "id": "1440080", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1440080"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "details": ["Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations.", "An out-of-bounds write flaw was found in the way NSS performed certain Base64-decoding operations. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library."], "name": "CVE-2017-5461", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:4", "fix_state": "Affected", "package_name": "nss", "product_name": "Red Hat Enterprise Linux 4"}], "public_date": "2017-04-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-5461\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-5461\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461"], "statement": "The security flaw exists in NSS library Base64 encoder/decoder code. Any application which uses NSS library to parse base64 encoded data could possibly be affected by the flaw. For example:\n1. Servers compiled against NSS which parse untrusted certificates or any other base64 encoded data from its users.\n2. Utilities like curl etc which use NSS to parse user provided base64 encoded certificates.\n3. Applications like Firefox which use NSS to parse client-certificates before passing them to the web server.", "threat_severity": "Critical"}