Vulnerability CVE-2017-5462


Published: 2018-06-11

Description:
A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.

Type:

CWE-189

(Numeric Errors)

Vendor: Mozilla
Product: Firefox 
Version:
9.0.1
9.0
8.0.1
8.0
7.0.1
7.0
6.0.2
6.0.1
6.0
52.8.1
52.8.0
52.7.4
52.7.3
52.7.2
52.7.1
52.7.0
52.6.0
52.5.3
52.5.2
52.5.0
52.4.1
52.4.0
52.3.0
52.2.1
52.2.0
52.1.2
52.1.1
52.1.0
52.0.2
52.0.1
52.0
51.0.1
51.0
50.0.2
50.0.1
50.0
5.0.1
5.0
49.0.2
49.0.1
49.0
48.0.2
47.0.1
46.0.1
45.0.2
45.0.1
44.0.2
44.0.1
43.0.4
43.0.3
43.0.2
43.0.1
43.0
42.0
41.0.2
41.0.1
41.0
40.0.3
4.0.1
4.0
See more versions on NVD
Product: Thunderbird 
Version:
9.0.1
9.0
8.0
7.0.1
7.0
6.0.2
6.0.1
6.0
52.0.1
52.0
5.0
45.8.0
45.7.1
45.7.0
45.6.0
45.5.1
45.5.0
45.4.0
45.3.0
45.2.0
45.1.1
45.1.0
45.0
38.8.0
38.7.2
38.7.1
38.7.0
See more versions on NVD
Product: Firefox esr 
Version:
52.0
45.5.0
45.4.0
45.3.0
45.2.0
45.1.1
45.1.0
45.0.2
38.8.0
38.7.1
38.7.0
38.6.1
See more versions on NVD
Vendor: Debian
Product: Debian linux 
Version: 8.0;

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://www.securityfocus.com/bid/97940
http://www.securitytracker.com/id/1038320
https://bugzilla.mozilla.org/show_bug.cgi?id=1345089
https://security.gentoo.org/glsa/201705-04
https://www.debian.org/security/2017/dsa-3831
https://www.debian.org/security/2017/dsa-3872
https://www.mozilla.org/security/advisories/mfsa2017-10/
https://www.mozilla.org/security/advisories/mfsa2017-11/
https://www.mozilla.org/security/advisories/mfsa2017-12/
https://www.mozilla.org/security/advisories/mfsa2017-13/

Related CVE
CVE-2019-14809
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is relate...
CVE-2017-18509
An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. By setting a specific socket option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbi...
CVE-2019-11042
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past ...
CVE-2019-11041
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past ...
CVE-2019-14234
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contri...
CVE-2019-14744
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated ...
CVE-2019-14439
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logbac...
CVE-2019-14379
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.

Copyright 2019, cxsecurity.com

 

Back to Top