CVE-2016-1978

Public on 2016-03-13
Modified on 2016-05-18
Description
A use-after-free flaw was found in the way NSS handled DHE (Diffie–Hellman key exchange) and ECDHE (Elliptic Curve Diffie-Hellman key exchange) handshake messages. A remote attacker could send a specially crafted handshake message that, when parsed by an application linked against NSS, would cause that application to crash or, under certain special conditions, execute arbitrary code using the permissions of the user running the application.
Severity
Medium severity
Medium
CVSS v3 Base Score
5.1
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 nspr 2016-05-18 ALAS-2016-702 Fixed
Amazon Linux 1 nss 2016-05-18 ALAS-2016-702 Fixed
Amazon Linux 1 nss-softokn 2016-05-18 ALAS-2016-702 Fixed
Amazon Linux 1 nss-util 2016-05-18 ALAS-2016-702 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv2 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P
NVD CVSSv2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
NVD CVSSv3 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L