Vulnerability Details : CVE-2013-0791

The CERT_DecodeCertPackage function in Mozilla Network Security Services (NSS), as used in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, SeaMonkey before 2.17, and other products, allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) via a crafted certificate.

Vulnerability category: OverflowMemory CorruptionDenial of service

Published 2013-04-03 11:56:21

Updated 2022-12-21 16:17:38

Source Mozilla Corporation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2013-0791

Probability of exploitation activity in the next 30 days: 6.88%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 93 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2013-0791

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	nvd@nist.gov
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2013-0791

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-0791

http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00019.html

[security-announce] SUSE-SU-2013:0850-1: important: Security update for
Broken Link

CVEs referencing this url
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761

Juniper Networks - 2016-10 Security Bulletin: CTPView: Multiple vulnerabilities in CTPView
Third Party Advisory

CVEs referencing this url
http://www.ubuntu.com/usn/USN-1791-1

USN-1791-1: Thunderbird vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00013.html

[security-announce] SUSE-SU-2013:0645-1: important: Security update for
Broken Link

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00010.html

[security-announce] openSUSE-SU-2013:0631-1: important: Mozilla Firefox
Broken Link

CVEs referencing this url
http://www.mozilla.org/security/announce/2013/mfsa2013-40.html

Out-of-bounds array read in CERT_DecodeCertPackage — Mozilla
Vendor Advisory
http://www.securityfocus.com/bid/58826

Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0791 Out of Bounds Memory Corruption Vulnerability
Third Party Advisory;VDB Entry
http://rhn.redhat.com/errata/RHSA-2013-1144.html

RHSA-2013:1144 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=629816

629816 - (CVE-2013-0791) CERT_DecodeCertPackage reads bytes outside the input buffer
Issue Tracking;Patch;Vendor Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

Oracle VM Server for x86 Bulletin - July 2016
Third Party Advisory

CVEs referencing this url
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17150

Repository / Oval Repository
Broken Link
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00009.html

[security-announce] openSUSE-SU-2013:0630-1: important: Mozilla Firefox
Broken Link

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2013-1135.html

RHSA-2013:1135 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url

Products affected by CVE-2013-0791

Redhat » Enterprise Linux Desktop » Version: 5.0
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 5.9
cpe:2.3:o:redhat:enterprise_linux_eus:5.9:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 5.0
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 5.0
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 5.9
cpe:2.3:o:redhat:enterprise_linux_server_aus:5.9:*:*:*:*:*:*:*
Matching versions
Oracle » Vm Server » Version: 3.2 For X86
cpe:2.3:a:oracle:vm_server:3.2:*:*:*:*:*:x86:*
Matching versions
Mozilla » Firefox
Versions up to, including, (<=) 20.0
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird
Versions before (<) 17.0.5
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Network Security Services
Versions before (<) 3.15
cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Seamonkey
Versions before (<) 2.17
cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox Esr
Versions from including (>=) 17.0 and before (<) 17.0.5
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird Esr
Versions from including (>=) 17.0 and before (<) 17.0.5
cpe:2.3:a:mozilla:thunderbird_esr:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.10
cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 10.04
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 11.10
cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
Matching versions