Vulnerability Details : CVE-2016-1979
Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndReturnKey function in Mozilla Network Security Services (NSS) before 3.21.1, as used in Mozilla Firefox before 45.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted key data with DER encoding.
Vulnerability category: Memory CorruptionDenial of service
Products affected by CVE-2016-1979
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-1979
4.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-1979
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
References for CVE-2016-1979
-
http://rhn.redhat.com/errata/RHSA-2016-0685.html
RHSA-2016:0685 - Security Advisory - Red Hat Customer Portal
-
https://bto.bluecoat.com/security-advisory/sa124
SA124 : NSS Vulnerabilities March 2016
-
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00093.html
[security-announce] SUSE-SU-2016:0909-1: important: Security update for
-
http://www.securitytracker.com/id/1035215
Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Spoof the Address Bar, Overwrite Files, and Deny Service - SecurityTracker
-
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00050.html
[security-announce] SUSE-SU-2016:0777-1: important: Security update for
-
http://www.securityfocus.com/bid/84221
Mozilla Network Security Services Use After Free CVE-2016-1979 Denial of Service Vulnerability
-
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00068.html
[security-announce] SUSE-SU-2016:0820-1: important: Security update for
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Oracle Critical Patch Update - October 2017
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
Oracle Linux Bulletin - April 2016
-
https://security.gentoo.org/glsa/201605-06
Mozilla Products: Multiple vulnerabilities (GLSA 201605-06) — Gentoo security
-
http://www.ubuntu.com/usn/USN-2973-1
USN-2973-1: Thunderbird vulnerabilities | Ubuntu security notices
-
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21.1_release_notes
NSS 3.21.1 release notes - Mozilla | MDN
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1185033
Bugzilla.mozilla.org is offline
-
http://rhn.redhat.com/errata/RHSA-2016-0591.html
RHSA-2016:0591 - Security Advisory - Red Hat Customer Portal
-
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00029.html
[security-announce] openSUSE-SU-2016:0731-1: important: Security update
-
http://rhn.redhat.com/errata/RHSA-2016-0684.html
RHSA-2016:0684 - Security Advisory - Red Hat Customer Portal
-
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
Oracle VM Server for x86 Bulletin - July 2016
-
http://www.debian.org/security/2016/dsa-3576
Debian -- Security Information -- DSA-3576-1 icedove
-
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00031.html
[security-announce] openSUSE-SU-2016:0733-1: important: Security update
-
http://www.debian.org/security/2016/dsa-3688
Debian -- Security Information -- DSA-3688-1 nss
-
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Oracle Critical Patch Update - July 2017
-
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00027.html
[security-announce] SUSE-SU-2016:0727-1: important: Security update for
-
http://www.mozilla.org/security/announce/2016/mfsa2016-36.html
Use-after-free during processing of DER encoded keys in NSS — MozillaVendor Advisory
Jump to