Vulnerability Details : CVE-2009-2404
Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function.
Vulnerability category: OverflowExecute codeDenial of service
Products affected by CVE-2009-2404
- cpe:2.3:a:mozilla:network_security_services:3.12.3:*:*:*:*:*:*:*When used together with: AOL » Instant MessengerWhen used together with: Mozilla » Thunderbird
Exploit prediction scoring system (EPSS) score for CVE-2009-2404
60.45%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-2404
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
CWE ids for CVE-2009-2404
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-2404
-
http://www.mandriva.com/security/advisories?name=MDVSA-2009:216
Mandriva
-
http://www.novell.com/linux/security/advisories/2009_48_firefox.html
404 Page Not Found | SUSE
-
http://rhn.redhat.com/errata/RHSA-2009-1185.html
RHSA-2009:1185 - Security Advisory - Red Hat Customer Portal
-
http://www.mozilla.org/security/announce/2009/mfsa2009-43.html
Heap overflow in certificate regexp parsing — MozillaPatch;Vendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=512912
512912 – (CVE-2009-2404) CVE-2009-2404 nss regexp heap overflow
-
http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf
-
http://www.mandriva.com/security/advisories?name=MDVSA-2009:197
Mandriva
-
http://www.oracle.com/technetwork/topics/security/cpuapr2010-099504.html
Security | Oracle Critical Patch Update - April 2010
-
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021699.1-1
-
http://www.vupen.com/english/advisories/2009/2085
Webmail: access your OVH emails on ovhcloud.com | OVHcloudPatch;Vendor Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11174
404 Not Found
-
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021030.1-1
-
http://sunsolve.sun.com/search/document.do?assetkey=1-66-273910-1
-
http://www.redhat.com/support/errata/RHSA-2009-1207.html
Support
-
https://usn.ubuntu.com/810-2/
404: Page not found | Ubuntu
-
http://www.ubuntu.com/usn/usn-810-1
USN-810-1: NSS vulnerabilities | Ubuntu security notices | Ubuntu
-
http://www.securityfocus.com/bid/35891
Patch
-
http://www.debian.org/security/2009/dsa-1874
[SECURITY] [DSA 1874-1] New nss packages fix several vulnerabilities
-
http://www.us-cert.gov/cas/techalerts/TA10-103B.html
Oracle Updates for Multiple Vulnerabilities | CISAUS Government Resource
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8658
404 Not Found
Jump to