CVE-2017-5461
Summary
| CVE | CVE-2017-5461 |
|---|---|
| State | PUBLISHED |
| Assigner | mozilla |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-05-11 01:29:05 UTC |
| Updated | 2025-04-20 01:37:25 UTC |
| Description | Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations. |
Risk And Classification
Primary CVSS: v3.0 9.8 CRITICAL from [email protected]
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Problem Types: CWE-787 | Out-of-bounds write in Base64 encoding in NSS
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.0 | [email protected] | Primary | 9.8 | CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:L/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Mozilla | Network Security Services | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Mozilla | Thunderbird | affected unspecified 52.1 custom | Not specified |
| CNA | Mozilla | Firefox ESR | affected unspecified 45.9 custom | Not specified |
| CNA | Mozilla | Firefox ESR | affected unspecified 52.1 custom | Not specified |
| CNA | Mozilla | Firefox | affected unspecified 53 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Security vulnerabilities fixed in Thunderbird 52.1 — Mozilla | af854a3a-2127-422b-91ae-364da2661108 | www.mozilla.org | Vendor Advisory |
| Mozilla Network Security Service (NSS): Multiple vulnerabilities (GLSA 201705-04) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | Third Party Advisory |
| Mozilla Firefox Multiple Bugs Let Remote Users Bypass Security Restrictions, Spoof URLs, Obtain Potentially Sensitive Information, Deny Service, and Execute Arbitrary Code - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | Third Party Advisory, VDB Entry |
| Debian -- Security Information -- DSA-3831-1 firefox-esr | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | Patch |
| Oracle Critical Patch Update Advisory - July 2021 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | Patch |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | Patch |
| NSS 3.29.5 release notes - Mozilla | MDN | af854a3a-2127-422b-91ae-364da2661108 | developer.mozilla.org | Release Notes, Vendor Advisory |
| Security vulnerabilities fixed in Firefox 53 — Mozilla | af854a3a-2127-422b-91ae-364da2661108 | www.mozilla.org | Vendor Advisory |
| Debian -- Security Information -- DSA-3872-1 nss | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | Patch |
| NSS 3.30.1 release notes - Mozilla | MDN | af854a3a-2127-422b-91ae-364da2661108 | developer.mozilla.org | Release Notes, Vendor Advisory |
| Mozilla Network Security Services CVE-2017-5461 Memory Corruption Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Oracle Critical Patch Update - October 2017 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Patch |
| NSS 3.21.4 release notes - Mozilla | MDN | af854a3a-2127-422b-91ae-364da2661108 | developer.mozilla.org | Release Notes, Vendor Advisory |
| Security vulnerabilities fixed in Firefox ESR 52.1 — Mozilla | af854a3a-2127-422b-91ae-364da2661108 | www.mozilla.org | Vendor Advisory |
| NSS 3.28.4 release notes - Mozilla | MDN | af854a3a-2127-422b-91ae-364da2661108 | developer.mozilla.org | Release Notes, Vendor Advisory |
| Oracle Critical Patch Update - January 2018 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Patch |
| 1344380 - (CVE-2017-5461) Write beyond bounds caused by bugs in Base64 de/encoding in nssb64d.c and nssb64e.c | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.mozilla.org | Issue Tracking, Permissions Required |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | Patch |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | Patch |
| Security vulnerabilities fixed in Firefox ESR 45.9 — Mozilla | af854a3a-2127-422b-91ae-364da2661108 | www.mozilla.org | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 378265 Virtuozzo Linux Security Update for nss-util-devel (VZLSA-2017:1100)
- 690289 Free Berkeley Software Distribution (FreeBSD) Security Update for mozilla (5e0a038a-ca30-416d-a2f5-38cbf5e7df33)
- 710287 Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 201802-03)
- 710397 Gentoo Linux Mozilla Network Security Service (NSS) Multiple Vulnerabilities (GLSA 201705-04)
- 904930 Common Base Linux Mariner (CBL-Mariner) Security Update for openjdk8 (12401)