csaf_certbund - wid-sec-w-2022-0810

wid-sec-w-2022-0810

Vulnerability from csaf_certbund

Published

2021-12-01 23:00

Modified

2023-02-22 23:00

Summary

Mozilla NSS: Schwachstelle ermöglicht Codeausführung

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Network Security Services (NSS) ist eine Sammlung von Bibliotheken um bei plattform übergreifenden Entwicklungen Securityfunktionalitäten für Clients und Server bereitzustellen.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Mozilla NSS ausnutzen, um beliebigen Programmcode auszuführen oder um die betreffende Anwendung zum Absturz zu bringen.

Betroffene Betriebssysteme

- UNIX - Linux - Windows - Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Network Security Services (NSS) ist eine Sammlung von Bibliotheken um bei plattform \u00fcbergreifenden Entwicklungen Securityfunktionalit\u00e4ten f\u00fcr Clients und Server bereitzustellen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Mozilla NSS ausnutzen, um beliebigen Programmcode auszuf\u00fchren oder um die betreffende Anwendung zum Absturz zu bringen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-0810 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-0810.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-0810 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0810"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2023-1955 vom 2023-02-22",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1955.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2023-1952 vom 2023-02-22",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1952.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2023-1953 vom 2023-02-22",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1953.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2023-1954 vom 2023-02-22",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1954.html"
      },
      {
        "category": "external",
        "summary": "Gentoo Linux Security Advisory GLSA-202212-05 vom 2022-12-19",
        "url": "https://security.gentoo.org/glsa/202212-05"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2022-223 vom 2022-12-09",
        "url": "https://alas.aws.amazon.com/AL2022/ALAS-2022-223.html"
      },
      {
        "category": "external",
        "summary": "Mozilla Foundation Security Advisory MFSA2021-51 vom 2021-12-01",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/"
      },
      {
        "category": "external",
        "summary": "Google Project Zero Blog vom 2021-12-01",
        "url": "https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2021-1722 vom 2021-12-02",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1722.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:4904 vom 2021-12-01",
        "url": "https://access.redhat.com/errata/RHSA-2021:4904"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:4907 vom 2021-12-02",
        "url": "https://access.redhat.com/errata/RHSA-2021:4907"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-5168-1 vom 2021-12-01",
        "url": "https://ubuntu.com/security/notices/USN-5168-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-5168-3 vom 2021-12-01",
        "url": "https://ubuntu.com/security/notices/USN-5168-3"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5016 vom 2021-12-02",
        "url": "https://www.debian.org/security/2021/dsa-5016"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2021-4904 vom 2021-12-01",
        "url": "https://linux.oracle.com/errata/ELSA-2021-4904.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-5168-2 vom 2021-12-01",
        "url": "https://ubuntu.com/security/notices/USN-5168-2"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:4903 vom 2021-12-01",
        "url": "https://access.redhat.com/errata/RHSA-2021:4903"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2021-4903 vom 2021-12-01",
        "url": "https://linux.oracle.com/errata/ELSA-2021-4903.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2021-1552 vom 2021-12-02",
        "url": "https://alas.aws.amazon.com/ALAS-2021-1552.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:4909 vom 2021-12-02",
        "url": "https://access.redhat.com/errata/RHSA-2021:4909"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-2836 vom 2021-12-02",
        "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00000.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:4919 vom 2021-12-02",
        "url": "https://access.redhat.com/errata/RHSA-2021:4919"
      },
      {
        "category": "external",
        "summary": "Arch Linux Security Advisory ASA-202112-4 vom 2021-12-03",
        "url": "https://www.cybersecurity-help.cz/vdb/SB2021120324"
      },
      {
        "category": "external",
        "summary": "Arch Linux Security Advisory ASA-202112-3 vom 2021-12-03",
        "url": "https://www.cybersecurity-help.cz/vdb/SB2021120325"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:4933 vom 2021-12-06",
        "url": "https://access.redhat.com/errata/RHSA-2021:4933"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:4946 vom 2021-12-06",
        "url": "https://access.redhat.com/errata/RHSA-2021:4946"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:4932 vom 2021-12-06",
        "url": "https://access.redhat.com/errata/RHSA-2021:4932"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:4953 vom 2021-12-06",
        "url": "https://access.redhat.com/errata/RHSA-2021:4953"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:4954 vom 2021-12-06",
        "url": "https://access.redhat.com/errata/RHSA-2021:4954"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:4969 vom 2021-12-07",
        "url": "https://access.redhat.com/errata/RHSA-2021:4969"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2021:3939-1 vom 2021-12-06",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009847.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2021:3934-1 vom 2021-12-06",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009850.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2021:14858-1 vom 2021-12-06",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009861.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-5168-4 vom 2021-12-07",
        "url": "https://ubuntu.com/security/notices/USN-5168-4"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2021-9591 vom 2021-12-07",
        "url": "http://linux.oracle.com/errata/ELSA-2021-9591.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:4994 vom 2021-12-07",
        "url": "https://access.redhat.com/errata/RHSA-2021:4994"
      },
      {
        "category": "external",
        "summary": "ORACLE OVMSA-2021-0040 vom 2021-12-07",
        "url": "https://oss.oracle.com/pipermail/oraclevm-errata/2021-December/001040.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:5006 vom 2021-12-08",
        "url": "https://access.redhat.com/errata/RHSA-2021:5006"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:5035 vom 2021-12-08",
        "url": "https://access.redhat.com/errata/RHSA-2021:5035"
      },
      {
        "category": "external",
        "summary": "LibreOffice Community Update vom 2021-12-06",
        "url": "https://blog.documentfoundation.org/blog/2021/12/06/libreoffice-7-2-4-and-7-1-8-community/"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2021-002 vom 2021-12-09",
        "url": "https://alas.aws.amazon.com/AL2022/ALAS-2021-002.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:5107 vom 2021-12-16",
        "url": "https://access.redhat.com/errata/RHSA-2021:5107"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:0191 vom 2022-01-20",
        "url": "https://access.redhat.com/errata/RHSA-2022:0191"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 6587384 vom 2022-05-18",
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-heap-based-buffer-overflow-in-mozilla-network-security-services-nss-may-affect-ibm-spectrum-protect-plus-cve-2021-43527/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:2536-1 vom 2022-07-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-July/011639.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:2533-1 vom 2022-07-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-July/011637.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:2595-1 vom 2022-07-29",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-July/011716.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:2533-2 vom 2022-09-01",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-September/012046.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Mozilla NSS: Schwachstelle erm\u00f6glicht Codeausf\u00fchrung",
    "tracking": {
      "current_release_date": "2023-02-22T23:00:00.000+00:00",
      "generator": {
        "date": "2024-02-15T16:53:57.229+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2022-0810",
      "initial_release_date": "2021-12-01T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2021-12-01T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2021-12-02T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat, Debian und Fedora aufgenommen"
        },
        {
          "date": "2021-12-06T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat und SUSE aufgenommen"
        },
        {
          "date": "2021-12-07T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Ubuntu, Oracle Linux, Red Hat und ORACLE aufgenommen"
        },
        {
          "date": "2021-12-08T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Red Hat und LibreOffice aufgenommen"
        },
        {
          "date": "2021-12-16T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-01-19T23:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-05-17T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2022-05-19T22:00:00.000+00:00",
          "number": "9",
          "summary": "Referenz(en) aufgenommen: 2088353"
        },
        {
          "date": "2022-07-24T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-07-31T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-09-01T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-12-11T23:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2022-12-18T23:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von Gentoo aufgenommen"
        },
        {
          "date": "2023-02-22T23:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von Amazon aufgenommen"
        }
      ],
      "status": "final",
      "version": "15"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Gentoo Linux",
            "product": {
              "name": "Gentoo Linux",
              "product_id": "T012167",
              "product_identification_helper": {
                "cpe": "cpe:/o:gentoo:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Gentoo"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM Spectrum Protect Plus",
            "product": {
              "name": "IBM Spectrum Protect Plus",
              "product_id": "T023257",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:spectrum_protect:::plus"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Mozilla NSS \u003c 3.68.1 ESR",
                "product": {
                  "name": "Mozilla NSS \u003c 3.68.1 ESR",
                  "product_id": "T021152",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mozilla:network_security_services:3.68.1_esr"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Mozilla NSS \u003c 3.73",
                "product": {
                  "name": "Mozilla NSS \u003c 3.73",
                  "product_id": "T021153",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mozilla:network_security_services:3.73"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "NSS"
          }
        ],
        "category": "vendor",
        "name": "Mozilla"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source Arch Linux",
            "product": {
              "name": "Open Source Arch Linux",
              "product_id": "T013312",
              "product_identification_helper": {
                "cpe": "cpe:/o:archlinux:archlinux:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Open Source LibreOffice \u003c 7.1.8",
                "product": {
                  "name": "Open Source LibreOffice \u003c 7.1.8",
                  "product_id": "T021224",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:libreoffice:libreoffice:7.1.8"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Open Source LibreOffice \u003c 7.2.4",
                "product": {
                  "name": "Open Source LibreOffice \u003c 7.2.4",
                  "product_id": "T021225",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:libreoffice:libreoffice:7.2.4"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "LibreOffice"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-43527",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Mozilla NSS aufgrund einer fehlenden \u00dcberpr\u00fcfung der Speichergrenzen in der Funktion \"CERT_VerifyCertificate()\" bei der Verarbeitung von DSA- oder RSA-Signaturen mit Standard- DER-Kodierung. Schl\u00fcsselwerte, die l\u00e4nger als 16384 Bits sind, k\u00f6nnen eine \u00dcberlaufsituation ausl\u00f6sen, bevor die Signatur\u00fcberpr\u00fcfung stattfindet. Ein Angreifer kann dies ausnutzen, um beliebigen Code auszuf\u00fchren oder einen Denial of Service-Zustand mit speziell gestalteten Schl\u00fcsseln oder Zertifikaten herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T013312",
          "398363",
          "T012167",
          "T023257",
          "T004914"
        ]
      },
      "release_date": "2021-12-01T23:00:00Z",
      "title": "CVE-2021-43527"
    }
  ]
}

cve-2021-43527

Vulnerability from cvelistv5

Published

2021-12-08 00:00

Modified

2024-08-04 03:55

Severity ?

Summary

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.

References

▼	URL	Tags
	https://www.mozilla.org/security/advisories/mfsa2021-51/
	https://bugzilla.mozilla.org/show_bug.cgi?id=1737470
	https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_73_RTM/
	https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_68_1_RTM/
	https://www.oracle.com/security-alerts/cpuapr2022.html
	https://security.netapp.com/advisory/ntap-20211229-0002/
	https://cert-portal.siemens.com/productcert/pdf/ssa-594438.pdf
	https://www.starwindsoftware.com/security/sw-20220802-0001/
	https://security.gentoo.org/glsa/202212-05	vendor-advisory

Impacted products

Vendor

Product

Version

▼

Mozilla

NSS

Version: unspecified < 3.73
Version: unspecified < 3.68.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:55:29.297Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2021-51/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1737470"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_73_RTM/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_68_1_RTM/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20211229-0002/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-594438.pdf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.starwindsoftware.com/security/sw-20220802-0001/"
          },
          {
            "name": "GLSA-202212-05",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202212-05"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "NSS",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "3.73",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "3.68.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \\#7, or PKCS \\#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS \u003c 3.73 and NSS \u003c 3.68.1."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Memory corruption via DER-encoded DSA and RSA-PSS signatures",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-19T00:00:00",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2021-51/"
        },
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1737470"
        },
        {
          "url": "https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_73_RTM/"
        },
        {
          "url": "https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_68_1_RTM/"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20211229-0002/"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-594438.pdf"
        },
        {
          "url": "https://www.starwindsoftware.com/security/sw-20220802-0001/"
        },
        {
          "name": "GLSA-202212-05",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202212-05"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2021-43527",
    "datePublished": "2021-12-08T00:00:00",
    "dateReserved": "2021-11-08T00:00:00",
    "dateUpdated": "2024-08-04T03:55:29.297Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted