1. Home
  2. CVE Database
  3. CVE-2016-1950
HIGH · 8.8

CVE-2016-1950

Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allo...

Vulnerability Description

Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate.

CVSS Score

8.8

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
MozillaNetwork Security Services3.19.2
MozillaFirefox<= 44.0.2
OracleLinux5.0
OracleVm Server3.2
AppleIphone Os<= 9.2.1
AppleMac Os X<= 10.11.3
AppleTvos<= 9.1
AppleWatchos<= 2.1
OracleGlassfish Server2.1.1
OracleIplanet Web Proxy Server4.0
OracleIplanet Web Server7.0
OpensuseOpensuse13.1

Related Weaknesses (CWE)

CWE-119

References

FAQ

What is CVE-2016-1950?

CVE-2016-1950 is a vulnerability with a CVSS score of 8.8 (HIGH). Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allo...

How severe is CVE-2016-1950?

CVE-2016-1950 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-1950?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Network Security Services, Mozilla Firefox, Oracle Linux, Oracle Vm Server, Apple Iphone Os.