{
  "threat_severity" : "Moderate",
  "public_date" : "2014-02-04T00:00:00Z",
  "bugzilla" : {
    "description" : "nss: TOCTOU, potential use-after-free in libssl's session ticket processing (MFSA 2014-12)",
    "id" : "1060953",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1060953"
  },
  "cvss" : {
    "cvss_base_score" : "5.1",
    "cvss_scoring_vector" : "AV:N/AC:H/Au:N/C:P/I:P/A:P",
    "status" : "verified"
  },
  "cwe" : "CWE-367->CWE-416",
  "details" : [ "Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket.", "A race condition was found in the way NSS implemented session ticket handling as specified by RFC 5077. An attacker could use this flaw to crash an application using NSS or, in rare cases, execute arbitrary code with the privileges of the user running that application." ],
  "acknowledgement" : "Red Hat would like to thank Mozilla project for reporting this issue. Upstream acknowledges Brian Smith as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "release_date" : "2014-09-16T00:00:00Z",
    "advisory" : "RHSA-2014:1246",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5",
    "package" : "nss-0:3.16.1-2.el5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2014-07-22T00:00:00Z",
    "advisory" : "RHSA-2014:0917",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "nspr-0:4.10.6-1.el6_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2014-07-22T00:00:00Z",
    "advisory" : "RHSA-2014:0917",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "nss-0:3.16.1-4.el6_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2014-07-22T00:00:00Z",
    "advisory" : "RHSA-2014:0917",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "nss-util-0:3.16.1-1.el6_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 4",
    "fix_state" : "Will not fix",
    "package_name" : "nss",
    "cpe" : "cpe:/o:redhat:enterprise_linux:4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "nss",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-1490\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-1490\nhttp://www.mozilla.org/security/announce/2014/mfsa2014-12.html" ],
  "name" : "CVE-2014-1490",
  "csaw" : false
}