National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2007-0008 Detail

Current Description

Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the "Master Secret", which results in a heap-based overflow.

Source:  MITRE      Last Modified:  02/26/2007      View Analysis Description

Quick Info

CVE Dictionary Entry:
CVE-2007-0008
Original release date:
02/26/2007
Last revised:
10/10/2017
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
6.8 MEDIUM
Vector:
(AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore:
6.4
Exploitability Subscore:
8.6
CVSS Version 2 Metrics:
Access Vector:
Network exploitable
Access Complexity:
Medium
Authentication:
Not required to exploit
Impact Type:
Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
ftp://patches.sgi.com/support/free/security/advisories/20070202-01-P.asc External Source SGI 20070202-01-P
ftp://patches.sgi.com/support/free/security/advisories/20070301-01-P.asc External Source SGI 20070301-01-P
http://fedoranews.org/cms/node/2709 External Source FEDORA FEDORA-2007-278
http://fedoranews.org/cms/node/2711 External Source FEDORA FEDORA-2007-279
http://fedoranews.org/cms/node/2713 External Source FEDORA FEDORA-2007-281
http://fedoranews.org/cms/node/2728 External Source FEDORA FEDORA-2007-293
http://fedoranews.org/cms/node/2747 External Source FEDORA FEDORA-2007-308
http://fedoranews.org/cms/node/2749 External Source FEDORA FEDORA-2007-309
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 External Source HP HPSBUX02153
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=482 Vendor Advisory External Source IDEFENSE 20070223 Mozilla Network Security Services SSLv2 Client Integer Underflow Vulnerability
http://lists.suse.com/archive/suse-security-announce/2007-Mar/0001.html External Source SUSE SUSE-SA:2007:019
http://rhn.redhat.com/errata/RHSA-2007-0077.html External Source REDHAT RHSA-2007:0077
http://security.gentoo.org/glsa/glsa-200703-18.xml External Source GENTOO GLSA-200703-18
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.338131 External Source SLACKWARE SSA:2007-066-05
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.363947 External Source SLACKWARE SSA:2007-066-04
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.374851 External Source SLACKWARE SSA:2007-066-03
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102856-1 External Source SUNALERT 102856
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102945-1 External Source SUNALERT 102945
http://www.debian.org/security/2007/dsa-1336 External Source DEBIAN DSA-1336
http://www.gentoo.org/security/en/glsa/glsa-200703-22.xml External Source GENTOO GLSA-200703-22
http://www.kb.cert.org/vuls/id/377812 US Government Resource External Source CERT-VN VU#377812
http://www.mandriva.com/security/advisories?name=MDKSA-2007:050 External Source MANDRIVA MDKSA-2007:050
http://www.mandriva.com/security/advisories?name=MDKSA-2007:052 External Source MANDRIVA MDKSA-2007:052
http://www.mozilla.org/security/announce/2007/mfsa2007-06.html Patch; Vendor Advisory External Source CONFIRM http://www.mozilla.org/security/announce/2007/mfsa2007-06.html
http://www.novell.com/linux/security/advisories/2007_22_mozilla.html External Source SUSE SUSE-SA:2007:022
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html External Source CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
http://www.redhat.com/support/errata/RHSA-2007-0078.html External Source REDHAT RHSA-2007:0078
http://www.redhat.com/support/errata/RHSA-2007-0079.html External Source REDHAT RHSA-2007:0079
http://www.redhat.com/support/errata/RHSA-2007-0097.html External Source REDHAT RHSA-2007:0097
http://www.redhat.com/support/errata/RHSA-2007-0108.html External Source REDHAT RHSA-2007:0108
http://www.securityfocus.com/archive/1/archive/1/461336/100/0/threaded External Source BUGTRAQ 20070226 rPSA-2007-0040-1 firefox
http://www.securityfocus.com/archive/1/archive/1/461809/100/0/threaded External Source BUGTRAQ 20070303 rPSA-2007-0040-3 firefox thunderbird
http://www.securityfocus.com/bid/22694 External Source BID 22694
http://www.securityfocus.com/bid/64758 External Source BID 64758
http://www.securitytracker.com/id?1017696 External Source SECTRACK 1017696
http://www.ubuntu.com/usn/usn-428-1 External Source UBUNTU USN-428-1
http://www.ubuntu.com/usn/usn-431-1 External Source UBUNTU USN-431-1
http://www.vupen.com/english/advisories/2007/0718 External Source VUPEN ADV-2007-0718
http://www.vupen.com/english/advisories/2007/0719 External Source VUPEN ADV-2007-0719
http://www.vupen.com/english/advisories/2007/1165 External Source VUPEN ADV-2007-1165
http://www.vupen.com/english/advisories/2007/2141 External Source VUPEN ADV-2007-2141
https://bugzilla.mozilla.org/show_bug.cgi?id=364319 Vendor Advisory External Source MISC https://bugzilla.mozilla.org/show_bug.cgi?id=364319
https://exchange.xforce.ibmcloud.com/vulnerabilities/32666 External Source XF nss-mastersecret-bo(32666)
https://issues.rpath.com/browse/RPL-1081 External Source CONFIRM https://issues.rpath.com/browse/RPL-1081
https://issues.rpath.com/browse/RPL-1103 External Source CONFIRM https://issues.rpath.com/browse/RPL-1103
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10502 External Source OVAL oval:org.mitre.oval:def:10502

References to Check Content

Identifier:
oval:org.mitre.oval:def:10502
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10502

Technical Details

Vulnerability Type (View All)

Vulnerable software and versions Switch to CPE 2.2

Configuration 1
OR
cpe:2.3:a:mozilla:firefox:0.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.2:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.3:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.4:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.5:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.6:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.6.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.7:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.7.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.8:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.9:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.9:rc:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.9.2:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.9.3:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.10.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.0:preview_release:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.0.6:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.0.7:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.0.8:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.5:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.5.0.2:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.5.0.4:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.5.0.5:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.5.0.6:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.5.0.7:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.5.0.8:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*    versions up to (including) 1.5.0.9
cpe:2.3:a:mozilla:firefox:1.5.0.10:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.5.0.11:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.5.0.12:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:network_security_services:3.11.2:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:network_security_services:3.11.3:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:network_security_services:3.11.4:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:1.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:1.0.6:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*    versions up to (including) 1.0.7
cpe:2.3:a:mozilla:thunderbird:0.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:0.2:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:0.3:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:0.4:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:0.5:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:0.6:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:0.7:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:0.7.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:0.7.2:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:0.7.3:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:0.8:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:0.9:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.0.6:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.0.7:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.0.8:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.5:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.5:beta2:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.5.0.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.5.0.2:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.5.0.4:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.5.0.5:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.5.0.6:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.5.0.7:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:1.5.0.8:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*    versions up to (including) 1.5.0.9

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History 4 change records found - show changes