{
  "threat_severity" : "Low",
  "public_date" : "2014-03-18T00:00:00Z",
  "bugzilla" : {
    "description" : "nss: IDNA hostname matching code does not follow RFC 6125 recommendation (MFSA 2014-45)",
    "id" : "1079851",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1079851"
  },
  "cvss" : {
    "cvss_base_score" : "2.6",
    "cvss_scoring_vector" : "AV:N/AC:H/Au:N/C:N/I:P/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-172->CWE-697->CWE-295",
  "details" : [ "The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.", "It was found that the implementation of Internationalizing Domain Names in Applications (IDNA) hostname matching in NSS did not follow the RFC 6125 recommendations. This could lead to certain invalid certificates with international characters to be accepted as valid." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "release_date" : "2014-09-16T00:00:00Z",
    "advisory" : "RHSA-2014:1246",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5",
    "package" : "nss-0:3.16.1-2.el5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2014-07-22T00:00:00Z",
    "advisory" : "RHSA-2014:0917",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "nspr-0:4.10.6-1.el6_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2014-07-22T00:00:00Z",
    "advisory" : "RHSA-2014:0917",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "nss-0:3.16.1-4.el6_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2014-07-22T00:00:00Z",
    "advisory" : "RHSA-2014:0917",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "nss-util-0:3.16.1-1.el6_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2014-08-18T00:00:00Z",
    "advisory" : "RHSA-2014:1073",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "nss-0:3.16.2-2.el7_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2014-08-18T00:00:00Z",
    "advisory" : "RHSA-2014:1073",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "nss-softokn-0:3.16.2-1.el7_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2014-08-18T00:00:00Z",
    "advisory" : "RHSA-2014:1073",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "nss-util-0:3.16.2-1.el7_0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-1492\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-1492" ],
  "name" : "CVE-2014-1492",
  "csaw" : false
}