CVE-2006-4340
Gravedad CVSS v2.0:
MEDIA
Tipo:
CWE-20
Validación incorrecta de entrada
Fecha de publicación:
15/09/2006
Última modificación:
03/04/2025
Descripción
La librería Mozilla Network Security Service (NSS) anterior a 3.11.3, usada en Mozilla Firefox anterior a 1.5.0.7, Thunderbird anterior a 1.5.0.7, y SeaMonkey anterior a 1.0.5, cuando se usa una llave RSA con exponente 3, no maneja correctamente los datos en una firma, lo que permite a atacantes remotos falsificar firmas para SSL/TLS y certificados de correo electrónico; una vulnerabilidad muy similar a la CVE-2006-4339. NOTA: el 7/11/2006, Mozilla publicó un aviso afirmando que estas versiones no estaban completamente parcheadas por MFSA2006-60. Las nuevas correcciones para 1.5.0.7 se tratan en CVE-2006-5462.
Impacto
Puntuación base 2.0
4.00
Gravedad 2.0
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* | 1.5.0.6 (incluyendo) | |
| cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:* | 3.11.2 (incluyendo) | |
| cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:* | 1.0.4 (incluyendo) | |
| cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* | 1.5.0.6 (incluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc
- http://secunia.com/advisories/21903
- http://secunia.com/advisories/21906
- http://secunia.com/advisories/21915
- http://secunia.com/advisories/21916
- http://secunia.com/advisories/21939
- http://secunia.com/advisories/21940
- http://secunia.com/advisories/21949
- http://secunia.com/advisories/21950
- http://secunia.com/advisories/22001
- http://secunia.com/advisories/22025
- http://secunia.com/advisories/22036
- http://secunia.com/advisories/22044
- http://secunia.com/advisories/22055
- http://secunia.com/advisories/22056
- http://secunia.com/advisories/22066
- http://secunia.com/advisories/22074
- http://secunia.com/advisories/22088
- http://secunia.com/advisories/22195
- http://secunia.com/advisories/22210
- http://secunia.com/advisories/22226
- http://secunia.com/advisories/22247
- http://secunia.com/advisories/22274
- http://secunia.com/advisories/22299
- http://secunia.com/advisories/22342
- http://secunia.com/advisories/22422
- http://secunia.com/advisories/22446
- http://secunia.com/advisories/22849
- http://secunia.com/advisories/22992
- http://secunia.com/advisories/23883
- http://secunia.com/advisories/24711
- http://security.gentoo.org/glsa/glsa-200609-19.xml
- http://security.gentoo.org/glsa/glsa-200610-01.xml
- http://securitytracker.com/id?1016858=
- http://securitytracker.com/id?1016859=
- http://securitytracker.com/id?1016860=
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102781-1
- http://support.avaya.com/elmodocs2/security/ASA-2006-224.htm
- http://support.avaya.com/elmodocs2/security/ASA-2006-250.htm
- http://www.debian.org/security/2006/dsa-1192
- http://www.debian.org/security/2006/dsa-1210
- http://www.gentoo.org/security/en/glsa/glsa-200610-06.xml
- http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html
- http://www.mandriva.com/security/advisories?name=MDKSA-2006%3A168
- http://www.mandriva.com/security/advisories?name=MDKSA-2006%3A169
- http://www.matasano.com/log/469/many-rsa-signatures-may-be-forgeable-in-openssl-and-elsewhere/
- http://www.mozilla.org/security/announce/2006/mfsa2006-60.html
- http://www.mozilla.org/security/announce/2006/mfsa2006-66.html
- http://www.novell.com/linux/security/advisories/2006_54_mozilla.html
- http://www.novell.com/linux/security/advisories/2006_55_ssl.html
- http://www.redhat.com/support/errata/RHSA-2006-0675.html
- http://www.redhat.com/support/errata/RHSA-2006-0676.html
- http://www.redhat.com/support/errata/RHSA-2006-0677.html
- http://www.securityfocus.com/archive/1/446140/100/0/threaded
- http://www.ubuntu.com/usn/usn-350-1
- http://www.ubuntu.com/usn/usn-351-1
- http://www.ubuntu.com/usn/usn-352-1
- http://www.ubuntu.com/usn/usn-354-1
- http://www.ubuntu.com/usn/usn-361-1
- http://www.us-cert.gov/cas/techalerts/TA06-312A.html
- http://www.us.debian.org/security/2006/dsa-1191
- http://www.vupen.com/english/advisories/2006/3617
- http://www.vupen.com/english/advisories/2006/3622
- http://www.vupen.com/english/advisories/2006/3748
- http://www.vupen.com/english/advisories/2006/3899
- http://www.vupen.com/english/advisories/2007/0293
- http://www.vupen.com/english/advisories/2007/1198
- http://www.vupen.com/english/advisories/2008/0083
- http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00771742
- http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00771742
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30098
- https://issues.rpath.com/browse/RPL-640
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11007
- ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc
- http://secunia.com/advisories/21903
- http://secunia.com/advisories/21906
- http://secunia.com/advisories/21915
- http://secunia.com/advisories/21916
- http://secunia.com/advisories/21939
- http://secunia.com/advisories/21940
- http://secunia.com/advisories/21949
- http://secunia.com/advisories/21950
- http://secunia.com/advisories/22001
- http://secunia.com/advisories/22025
- http://secunia.com/advisories/22036
- http://secunia.com/advisories/22044
- http://secunia.com/advisories/22055
- http://secunia.com/advisories/22056
- http://secunia.com/advisories/22066
- http://secunia.com/advisories/22074
- http://secunia.com/advisories/22088
- http://secunia.com/advisories/22195
- http://secunia.com/advisories/22210
- http://secunia.com/advisories/22226
- http://secunia.com/advisories/22247
- http://secunia.com/advisories/22274
- http://secunia.com/advisories/22299
- http://secunia.com/advisories/22342
- http://secunia.com/advisories/22422
- http://secunia.com/advisories/22446
- http://secunia.com/advisories/22849
- http://secunia.com/advisories/22992
- http://secunia.com/advisories/23883
- http://secunia.com/advisories/24711
- http://security.gentoo.org/glsa/glsa-200609-19.xml
- http://security.gentoo.org/glsa/glsa-200610-01.xml
- http://securitytracker.com/id?1016858=
- http://securitytracker.com/id?1016859=
- http://securitytracker.com/id?1016860=
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102781-1
- http://support.avaya.com/elmodocs2/security/ASA-2006-224.htm
- http://support.avaya.com/elmodocs2/security/ASA-2006-250.htm
- http://www.debian.org/security/2006/dsa-1192
- http://www.debian.org/security/2006/dsa-1210
- http://www.gentoo.org/security/en/glsa/glsa-200610-06.xml
- http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html
- http://www.mandriva.com/security/advisories?name=MDKSA-2006%3A168
- http://www.mandriva.com/security/advisories?name=MDKSA-2006%3A169
- http://www.matasano.com/log/469/many-rsa-signatures-may-be-forgeable-in-openssl-and-elsewhere/
- http://www.mozilla.org/security/announce/2006/mfsa2006-60.html
- http://www.mozilla.org/security/announce/2006/mfsa2006-66.html
- http://www.novell.com/linux/security/advisories/2006_54_mozilla.html
- http://www.novell.com/linux/security/advisories/2006_55_ssl.html
- http://www.redhat.com/support/errata/RHSA-2006-0675.html
- http://www.redhat.com/support/errata/RHSA-2006-0676.html
- http://www.redhat.com/support/errata/RHSA-2006-0677.html
- http://www.securityfocus.com/archive/1/446140/100/0/threaded
- http://www.ubuntu.com/usn/usn-350-1
- http://www.ubuntu.com/usn/usn-351-1
- http://www.ubuntu.com/usn/usn-352-1
- http://www.ubuntu.com/usn/usn-354-1
- http://www.ubuntu.com/usn/usn-361-1
- http://www.us-cert.gov/cas/techalerts/TA06-312A.html
- http://www.us.debian.org/security/2006/dsa-1191
- http://www.vupen.com/english/advisories/2006/3617
- http://www.vupen.com/english/advisories/2006/3622
- http://www.vupen.com/english/advisories/2006/3748
- http://www.vupen.com/english/advisories/2006/3899
- http://www.vupen.com/english/advisories/2007/0293
- http://www.vupen.com/english/advisories/2007/1198
- http://www.vupen.com/english/advisories/2008/0083
- http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00771742
- http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00771742
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30098
- https://issues.rpath.com/browse/RPL-640
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11007