Use-After-Free Vulnerability in Mozilla NSS Affecting Firefox
CVE-2016-1979

8.8HIGH

Key Information:

Vendor

Mozilla
Status
Firefox
Network Security Services
Vendor
CVE Published:
13 March 2016

What is CVE-2016-1979?

A use-after-free vulnerability exists in the PK11_ImportDERPrivateKeyInfoAndReturnKey function of Mozilla Network Security Services (NSS). This issue affects versions prior to 3.21.1 and is utilized in Mozilla Firefox versions prior to 45.0. Attackers could exploit this vulnerability by sending specially crafted key data with DER encoding, potentially leading to a denial of service or other unspecified impacts.

References

https://bto.bluecoat.com/security-advisory/sa124
x_refsource_CONFIRM
http://www.securityfocus.com/bid/84221
vdb-entryx_refsource_BID
http://www.oracle.com/technetwork/topics/security/ovmbull...
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2016-1979 : Use-After-Free Vulnerability in Mozilla NSS Affecting Firefox