Vulnerability Description
Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the "Master Secret", which results in a heap-based overflow.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | <= 1.5.0.9 |
| Mozilla | Network Security Services | 3.11.2 |
| Mozilla | Seamonkey | <= 1.0.7 |
| Mozilla | Thunderbird | <= 1.5.0.9 |
Related Weaknesses (CWE)
References
- ftp://patches.sgi.com/support/free/security/advisories/20070202-01-P.asc
- ftp://patches.sgi.com/support/free/security/advisories/20070301-01-P.asc
- http://fedoranews.org/cms/node/2709
- http://fedoranews.org/cms/node/2711
- http://fedoranews.org/cms/node/2713
- http://fedoranews.org/cms/node/2728
- http://fedoranews.org/cms/node/2747
- http://fedoranews.org/cms/node/2749
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=482Vendor Advisory
- http://lists.suse.com/archive/suse-security-announce/2007-Mar/0001.html
- http://rhn.redhat.com/errata/RHSA-2007-0077.html
- http://secunia.com/advisories/24205Vendor Advisory
- http://secunia.com/advisories/24238Vendor Advisory
- http://secunia.com/advisories/24252Vendor Advisory
FAQ
What is CVE-2007-0008?
CVE-2007-0008 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1...
How severe is CVE-2007-0008?
CVE-2007-0008 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2007-0008?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Network Security Services, Mozilla Seamonkey, Mozilla Thunderbird.