CVE-2007-0008

Severity

68%

Complexity

86%

Confidentiality

106%

Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the "Master Secret", which results in a heap-based overflow.

Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the "Master Secret", which results in a heap-based overflow.

CVSS 2.0 Base Score 6.8. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P).

Overview

Type

Mozilla

First reported 18 years ago

2007-02-26 20:28:00

Last updated 6 years ago

2018-10-16 16:29:00

Affected Software

Mozilla Firefox 0.1

0.1

Mozilla Firefox 0.2

0.2

Mozilla Firefox 0.3

0.3

Mozilla Firefox 0.4

0.4

Mozilla Firefox 0.5

0.5

Mozilla Firefox 0.6

0.6

Mozilla Firefox 0.6.1

0.6.1

Mozilla Firefox 0.7

0.7

Mozilla Firefox 0.7.1

0.7.1

Mozilla Firefox 0.8

0.8

Mozilla Firefox 0.9

0.9

Mozilla Firefox 0.9 rc

0.9

Mozilla Firefox 0.9.1

0.9.1

Mozilla Firefox 0.9.2

0.9.2

Mozilla Firefox 0.9.3

0.9.3

Mozilla Firefox 0.10

0.10

Mozilla Firefox 0.10.1

0.10.1

Mozilla Firefox 1.0

1.0

Mozilla Firefox 1.0 Preview Release

1.0

Mozilla Firefox 1.0.1

1.0.1

Mozilla Firefox 1.0.2

1.0.2

Mozilla Firefox 1.0.3

1.0.3

Mozilla Firefox 1.0.4

1.0.4

Mozilla Firefox 1.0.5

1.0.5

Mozilla Firefox 1.0.6

1.0.6

Mozilla Firefox 1.0.7

1.0.7

Mozilla Firefox 1.0.8

1.0.8

Mozilla Firefox 1.4.1

1.4.1

Mozilla Firefox 1.5

1.5

Mozilla Firefox 1.5.0.1

1.5.0.1

Mozilla Firefox 1.5.0.2

1.5.0.2

Mozilla Firefox 1.5.0.3

1.5.0.3

Mozilla Firefox 1.5.0.4

1.5.0.4

Mozilla Firefox 1.5.0.5

1.5.0.5

Mozilla Firefox 1.5.0.6

1.5.0.6

Mozilla Firefox 1.5.0.7

1.5.0.7

Mozilla Firefox 1.5.0.8

1.5.0.8

Mozilla Firefox

Mozilla Firefox 1.5.0.10

1.5.0.10

Mozilla Firefox 1.5.0.11

1.5.0.11

Mozilla Firefox 1.5.0.12

1.5.0.12

Mozilla Firefox 2.0

2.0

Mozilla Firefox 2.0.0.1

2.0.0.1

Mozilla Network Security Services 3.11.2

3.11.2

Mozilla Network Security Services 3.11.3

3.11.3

Mozilla Network Security Services 3.11.4

3.11.4

Mozilla SeaMonkey 1.0

1.0

Mozilla SeaMonkey 1.0.1

1.0.1

Mozilla SeaMonkey 1.0.2

1.0.2

Mozilla SeaMonkey 1.0.3

1.0.3

Mozilla SeaMonkey 1.0.4

1.0.4

Mozilla SeaMonkey 1.0.5

1.0.5

Mozilla SeaMonkey 1.0.6

1.0.6

Mozilla SeaMonkey

Mozilla Thunderbird 0.1

0.1

Mozilla Thunderbird 0.2

0.2

Mozilla Thunderbird 0.3

0.3

Mozilla Thunderbird 0.4

0.4

Mozilla Thunderbird 0.5

0.5

Mozilla Thunderbird 0.6

0.6

Mozilla Thunderbird 0.7

0.7

Mozilla Thunderbird 0.7.1

0.7.1

Mozilla Thunderbird 0.7.2

0.7.2

Mozilla Thunderbird 0.7.3

0.7.3

Mozilla Thunderbird 0.8

0.8

Mozilla Thunderbird 0.9

0.9

Mozilla Thunderbird 1.0

1.0

Mozilla Thunderbird 1.0.2

1.0.2

Mozilla Thunderbird 1.0.5

1.0.5

Mozilla Thunderbird 1.0.6

1.0.6

Mozilla Thunderbird 1.0.7

1.0.7

Mozilla Thunderbird 1.0.8

1.0.8

Mozilla Thunderbird 1.5

1.5

Mozilla Thunderbird 1.5 Beta 2

1.5

Mozilla Thunderbird 1.5.0.2

1.5.0.2

Mozilla Thunderbird 1.5.0.4

1.5.0.4

Mozilla Thunderbird 1.5.0.5

1.5.0.5

Mozilla Thunderbird 1.5.0.7

1.5.0.7

Mozilla Thunderbird 1.5.0.8

1.5.0.8

Mozilla Thunderbird

References

20070202-01-P

20070301-01-P

FEDORA-2007-278

FEDORA-2007-279

FEDORA-2007-281

FEDORA-2007-293

FEDORA-2007-308

FEDORA-2007-309

HPSBUX02153

20070223 Mozilla Network Security Services SSLv2 Client Integer Underflow Vulnerability

Vendor Advisory

SUSE-SA:2007:019

RHSA-2007:0077

24205

Vendor Advisory

24238

Vendor Advisory

24252

Vendor Advisory

24253

Vendor Advisory

24277

Vendor Advisory

24287

Vendor Advisory

24290

Vendor Advisory

24293

Vendor Advisory

24320

Vendor Advisory

24328

Vendor Advisory

24333

Vendor Advisory

24342

24343

Vendor Advisory

24384

Vendor Advisory

24389

Vendor Advisory

24395

Vendor Advisory

24406

24410

Vendor Advisory

24455

24456

24457

24522

Vendor Advisory

24562

Vendor Advisory

24650

Vendor Advisory

24703

Vendor Advisory

25588

25597

GLSA-200703-18

SSA:2007-066-05

SSA:2007-066-04

SSA:2007-066-03

102856

102945

DSA-1336

GLSA-200703-22

VU#377812

US Government Resource

MDKSA-2007:050

MDKSA-2007:052

http://www.mozilla.org/security/announce/2007/mfsa2007-06.html

Patch, Vendor Advisory

SUSE-SA:2007:022

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

32105

RHSA-2007:0078

RHSA-2007:0079

RHSA-2007:0097

RHSA-2007:0108

20070226 rPSA-2007-0040-1 firefox

20070303 rPSA-2007-0040-3 firefox thunderbird

22694

64758

1017696

USN-428-1

USN-431-1

ADV-2007-0718

ADV-2007-0719

ADV-2007-1165

ADV-2007-2141

https://bugzilla.mozilla.org/show_bug.cgi?id=364319

Vendor Advisory

nss-mastersecret-bo(32666)

https://issues.rpath.com/browse/RPL-1081

https://issues.rpath.com/browse/RPL-1103

oval:org.mitre.oval:def:10502

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.