{ "threat_severity" : "Moderate", "public_date" : "2014-01-05T00:00:00Z", "bugzilla" : { "description" : "nss: false start PR_Recv information disclosure security issue", "id" : "1053725", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1053725" }, "cvss" : { "cvss_base_score" : "4.3", "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status" : "verified" }, "details" : [ "The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.", "A flaw was found in the way TLS False Start was implemented in NSS. An attacker could use this flaw to potentially return unencrypted information from the server." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 5", "release_date" : "2014-09-16T00:00:00Z", "advisory" : "RHSA-2014:1246", "cpe" : "cpe:/o:redhat:enterprise_linux:5", "package" : "nss-0:3.16.1-2.el5" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2014-07-22T00:00:00Z", "advisory" : "RHSA-2014:0917", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "nspr-0:4.10.6-1.el6_5" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2014-07-22T00:00:00Z", "advisory" : "RHSA-2014:0917", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "nss-0:3.16.1-4.el6_5" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2014-07-22T00:00:00Z", "advisory" : "RHSA-2014:0917", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "nss-util-0:3.16.1-1.el6_5" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "nss", "cpe" : "cpe:/o:redhat:enterprise_linux:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2013-1740\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-1740" ], "name" : "CVE-2013-1740", "csaw" : false }