CVE Database

CVE-2013-5606

Impact: Moderate
Public: 2013-11-19
Bugzilla: 1031457: CVE-2013-5606 nss: CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates (MFSA 2013-103)
IAVA: 2013-A-0220

Details

The MITRE CVE dictionary describes this issue as:

The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate.

Find out more about CVE-2013-5606 from the MITRE CVE dictionary and NIST NVD.

CVSS v2 metrics

Base Score: 4.3
Base Metrics: AV:N/AC:M/Au:N/C:N/I:N/A:P
Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
RHEV Hypervisor for RHEL-6 (rhev-hypervisor6) RHSA-2014:0041 January 21, 2014
Red Hat Enterprise Linux version 5 RHSA-2013:1791 December 05, 2013
Red Hat Enterprise Linux version 6 RHSA-2013:1829 December 12, 2013

External References

http://www.mozilla.org/security/announce/2013/mfsa2013-103.html

Acknowledgements

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Camilo Viecco as the original reporter of this issue.

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.