cnvd - cnvd-2016-11323

cnvd-2016-11323

Vulnerability from cnvd

Title: Mozilla Network Security Services安全绕过漏洞（CNVD-2016-11323）

Description:

Mozilla Network Security Services (NSS)是一组库旨在支持跨平台开发启用了安全性的多维客户机和服务器应用程序。

Mozilla Network Security Services存在安全绕过漏洞，攻击者利用漏洞可执行未授权操作。

Severity: 中

Patch Name: Mozilla Network Security Services安全绕过漏洞（CNVD-2016-11323）的补丁

Patch Description:

Mozilla Network Security Services (NSS)是一组库旨在支持跨平台开发启用了安全性的多维客户机和服务器应用程序。

Mozilla Network Security Services存在安全绕过漏洞，攻击者利用漏洞可执行未授权操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

用户可联系供应商获得补丁信息： https://www.mozilla.org/en-US/

Reference: http://www.securityfocus.com/bid/94341

Impacted products

Name
['Mozilla Network Security Services 3.26.1', 'Mozilla Firefox 50', 'Mozilla Firefox ESR 45.5']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "94341"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-9074"
    }
  },
  "description": "Mozilla Network Security Services (NSS)\u662f\u4e00\u7ec4\u5e93\u65e8\u5728\u652f\u6301\u8de8\u5e73\u53f0\u5f00\u53d1\u542f\u7528\u4e86\u5b89\u5168\u6027\u7684\u591a\u7ef4\u5ba2\u6237\u673a\u548c\u670d\u52a1\u5668\u5e94\u7528\u7a0b\u5e8f\u3002 \r\n\r\nMozilla Network Security Services\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u53ef\u6267\u884c\u672a\u6388\u6743\u64cd\u4f5c\u3002",
  "discovererName": "Franziskus Kiefer",
  "formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://www.mozilla.org/en-US/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-11323",
  "openTime": "2016-11-21",
  "patchDescription": "Mozilla Network Security Services (NSS)\u662f\u4e00\u7ec4\u5e93\u65e8\u5728\u652f\u6301\u8de8\u5e73\u53f0\u5f00\u53d1\u542f\u7528\u4e86\u5b89\u5168\u6027\u7684\u591a\u7ef4\u5ba2\u6237\u673a\u548c\u670d\u52a1\u5668\u5e94\u7528\u7a0b\u5e8f\u3002 \r\n\r\nMozilla Network Security Services\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u53ef\u6267\u884c\u672a\u6388\u6743\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Mozilla Network Security Services\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2016-11323\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Mozilla Network Security Services 3.26.1",
      "Mozilla Firefox 50",
      "Mozilla Firefox ESR 45.5"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/94341",
  "serverity": "\u4e2d",
  "submitTime": "2016-11-16",
  "title": "Mozilla Network Security Services\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2016-11323\uff09"
}

CVE-2016-9074 (GCVE-0-2016-9074)

Vulnerability from cvelistv5

Published

2018-06-11 21:00

Modified

2024-08-06 02:42

Severity ?

CWE

Insufficient timing side-channel resistance in divSpoiler

Summary

An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50.

References

▼	URL	Tags
	https://www.debian.org/security/2016/dsa-3730	vendor-advisory, x_refsource_DEBIAN
	https://bugzilla.mozilla.org/show_bug.cgi?id=1293334	x_refsource_CONFIRM
	https://security.gentoo.org/glsa/201701-46	vendor-advisory, x_refsource_GENTOO
	http://www.securityfocus.com/bid/94341	vdb-entry, x_refsource_BID
	http://www.securitytracker.com/id/1037298	vdb-entry, x_refsource_SECTRACK
	https://security.gentoo.org/glsa/201701-15	vendor-advisory, x_refsource_GENTOO
	https://www.mozilla.org/security/advisories/mfsa2016-93/	x_refsource_CONFIRM
	https://www.mozilla.org/security/advisories/mfsa2016-89/	x_refsource_CONFIRM
	https://www.mozilla.org/security/advisories/mfsa2016-90/	x_refsource_CONFIRM

Impacted products

Vendor

Product

Version

▼

Mozilla

Thunderbird

Version: unspecified < 45.5

	Mozilla	Firefox ESR	Version: unspecified < 45.5
	Mozilla	Firefox	Version: unspecified < 50

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:42:09.995Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "DSA-3730",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2016/dsa-3730"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1293334"
          },
          {
            "name": "GLSA-201701-46",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201701-46"
          },
          {
            "name": "94341",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/94341"
          },
          {
            "name": "1037298",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1037298"
          },
          {
            "name": "GLSA-201701-15",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201701-15"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2016-93/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2016-89/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2016-90/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "45.5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "45.5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "50",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2016-11-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird \u003c 45.5, Firefox ESR \u003c 45.5, and Firefox \u003c 50."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Insufficient timing side-channel resistance in divSpoiler",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-12T09:57:01",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "name": "DSA-3730",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2016/dsa-3730"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1293334"
        },
        {
          "name": "GLSA-201701-46",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201701-46"
        },
        {
          "name": "94341",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/94341"
        },
        {
          "name": "1037298",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1037298"
        },
        {
          "name": "GLSA-201701-15",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201701-15"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2016-93/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2016-89/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2016-90/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2016-9074",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Thunderbird",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "45.5"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Firefox ESR",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "45.5"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Firefox",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "50"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird \u003c 45.5, Firefox ESR \u003c 45.5, and Firefox \u003c 50."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Insufficient timing side-channel resistance in divSpoiler"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "DSA-3730",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2016/dsa-3730"
            },
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1293334",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1293334"
            },
            {
              "name": "GLSA-201701-46",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201701-46"
            },
            {
              "name": "94341",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/94341"
            },
            {
              "name": "1037298",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1037298"
            },
            {
              "name": "GLSA-201701-15",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201701-15"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2016-93/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2016-93/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2016-89/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2016-89/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2016-90/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2016-90/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2016-9074",
    "datePublished": "2018-06-11T21:00:00",
    "dateReserved": "2016-10-27T00:00:00",
    "dateUpdated": "2024-08-06T02:42:09.995Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted