Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2006-4340

Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates, a similar vulnerability to CVE-2006-4339. NOTE: on 20061107, Mozilla released an advisory stating that these versions were not completely patched by MFSA2006-60. The newer fixes for 1.5.0.7 are covered by CVE-2006-5462.

Published

2006-09-15T18:07:00.000

Last Modified

2025-04-03T01:03:51.193

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 4.0 (MEDIUM)

CVSSv2 Vector

AV:N/AC:H/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: HIGH
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

4.9

Impact Score

4.9

Weaknesses

Type: Primary
CWE-20

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	mozilla	firefox	≤ 1.5.0.6	Yes
Application	mozilla	network_security_services	≤ 3.11.2	Yes
Application	mozilla	seamonkey	≤ 1.0.4	Yes
Application	mozilla	thunderbird	≤ 1.5.0.6	Yes

References

ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc ([email protected])
http://secunia.com/advisories/21903 Vendor Advisory ([email protected])
http://secunia.com/advisories/21906 Patch, Vendor Advisory ([email protected])
http://secunia.com/advisories/21915 Vendor Advisory ([email protected])
http://secunia.com/advisories/21916 Vendor Advisory ([email protected])
http://secunia.com/advisories/21939 Vendor Advisory ([email protected])
http://secunia.com/advisories/21940 Vendor Advisory ([email protected])
http://secunia.com/advisories/21949 Patch, Vendor Advisory ([email protected])
http://secunia.com/advisories/21950 Vendor Advisory ([email protected])
http://secunia.com/advisories/22001 Vendor Advisory ([email protected])
http://secunia.com/advisories/22025 Vendor Advisory ([email protected])
http://secunia.com/advisories/22036 Vendor Advisory ([email protected])
http://secunia.com/advisories/22044 ([email protected])
http://secunia.com/advisories/22055 Vendor Advisory ([email protected])
http://secunia.com/advisories/22056 ([email protected])
http://secunia.com/advisories/22066 ([email protected])
http://secunia.com/advisories/22074 Vendor Advisory ([email protected])
http://secunia.com/advisories/22088 Vendor Advisory ([email protected])
http://secunia.com/advisories/22195 ([email protected])
http://secunia.com/advisories/22210 Vendor Advisory ([email protected])
http://secunia.com/advisories/22226 Vendor Advisory ([email protected])
http://secunia.com/advisories/22247 Vendor Advisory ([email protected])
http://secunia.com/advisories/22274 Vendor Advisory ([email protected])
http://secunia.com/advisories/22299 Vendor Advisory ([email protected])
http://secunia.com/advisories/22342 Vendor Advisory ([email protected])
http://secunia.com/advisories/22422 Vendor Advisory ([email protected])
http://secunia.com/advisories/22446 Vendor Advisory ([email protected])
http://secunia.com/advisories/22849 ([email protected])
http://secunia.com/advisories/22992 ([email protected])
http://secunia.com/advisories/23883 ([email protected])
http://secunia.com/advisories/24711 ([email protected])
http://security.gentoo.org/glsa/glsa-200609-19.xml ([email protected])
http://security.gentoo.org/glsa/glsa-200610-01.xml ([email protected])
http://securitytracker.com/id?1016858 ([email protected])
http://securitytracker.com/id?1016859 ([email protected])
http://securitytracker.com/id?1016860 ([email protected])
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1 ([email protected])
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102781-1 ([email protected])
http://support.avaya.com/elmodocs2/security/ASA-2006-224.htm ([email protected])
http://support.avaya.com/elmodocs2/security/ASA-2006-250.htm ([email protected])
http://www.debian.org/security/2006/dsa-1192 ([email protected])
http://www.debian.org/security/2006/dsa-1210 ([email protected])
http://www.gentoo.org/security/en/glsa/glsa-200610-06.xml ([email protected])
http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html ([email protected])
http://www.mandriva.com/security/advisories?name=MDKSA-2006:168 ([email protected])
http://www.mandriva.com/security/advisories?name=MDKSA-2006:169 ([email protected])
http://www.matasano.com/log/469/many-rsa-signatures-may-be-forgeable-in-openssl-and-elsewhere/ ([email protected])
http://www.mozilla.org/security/announce/2006/mfsa2006-60.html ([email protected])
http://www.mozilla.org/security/announce/2006/mfsa2006-66.html ([email protected])
http://www.novell.com/linux/security/advisories/2006_54_mozilla.html ([email protected])
http://www.novell.com/linux/security/advisories/2006_55_ssl.html ([email protected])
http://www.redhat.com/support/errata/RHSA-2006-0675.html Vendor Advisory ([email protected])
http://www.redhat.com/support/errata/RHSA-2006-0676.html Patch, Vendor Advisory ([email protected])
http://www.redhat.com/support/errata/RHSA-2006-0677.html Patch, Vendor Advisory ([email protected])
http://www.securityfocus.com/archive/1/446140/100/0/threaded ([email protected])
http://www.ubuntu.com/usn/usn-350-1 ([email protected])
http://www.ubuntu.com/usn/usn-351-1 ([email protected])
http://www.ubuntu.com/usn/usn-352-1 ([email protected])
http://www.ubuntu.com/usn/usn-354-1 ([email protected])
http://www.ubuntu.com/usn/usn-361-1 ([email protected])
http://www.us-cert.gov/cas/techalerts/TA06-312A.html US Government Resource ([email protected])
http://www.us.debian.org/security/2006/dsa-1191 ([email protected])
http://www.vupen.com/english/advisories/2006/3617 ([email protected])
http://www.vupen.com/english/advisories/2006/3622 ([email protected])
http://www.vupen.com/english/advisories/2006/3748 ([email protected])
http://www.vupen.com/english/advisories/2006/3899 ([email protected])
http://www.vupen.com/english/advisories/2007/0293 ([email protected])
http://www.vupen.com/english/advisories/2007/1198 ([email protected])
http://www.vupen.com/english/advisories/2008/0083 ([email protected])
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00771742 ([email protected])
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00771742 ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/30098 ([email protected])
https://issues.rpath.com/browse/RPL-640 ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11007 ([email protected])
ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/21903 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/21906 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/21915 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/21916 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/21939 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/21940 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/21949 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/21950 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22001 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22025 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22036 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22044 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22055 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22056 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22066 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22074 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22088 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22195 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22210 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22226 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22247 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22274 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22299 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22342 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22422 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22446 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22849 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/22992 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/23883 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/24711 (af854a3a-2127-422b-91ae-364da2661108)
http://security.gentoo.org/glsa/glsa-200609-19.xml (af854a3a-2127-422b-91ae-364da2661108)
http://security.gentoo.org/glsa/glsa-200610-01.xml (af854a3a-2127-422b-91ae-364da2661108)
http://securitytracker.com/id?1016858 (af854a3a-2127-422b-91ae-364da2661108)
http://securitytracker.com/id?1016859 (af854a3a-2127-422b-91ae-364da2661108)
http://securitytracker.com/id?1016860 (af854a3a-2127-422b-91ae-364da2661108)
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1 (af854a3a-2127-422b-91ae-364da2661108)
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102781-1 (af854a3a-2127-422b-91ae-364da2661108)
http://support.avaya.com/elmodocs2/security/ASA-2006-224.htm (af854a3a-2127-422b-91ae-364da2661108)
http://support.avaya.com/elmodocs2/security/ASA-2006-250.htm (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2006/dsa-1192 (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2006/dsa-1210 (af854a3a-2127-422b-91ae-364da2661108)
http://www.gentoo.org/security/en/glsa/glsa-200610-06.xml (af854a3a-2127-422b-91ae-364da2661108)
http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDKSA-2006:168 (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDKSA-2006:169 (af854a3a-2127-422b-91ae-364da2661108)
http://www.matasano.com/log/469/many-rsa-signatures-may-be-forgeable-in-openssl-and-elsewhere/ (af854a3a-2127-422b-91ae-364da2661108)
http://www.mozilla.org/security/announce/2006/mfsa2006-60.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.mozilla.org/security/announce/2006/mfsa2006-66.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.novell.com/linux/security/advisories/2006_54_mozilla.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.novell.com/linux/security/advisories/2006_55_ssl.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.redhat.com/support/errata/RHSA-2006-0675.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.redhat.com/support/errata/RHSA-2006-0676.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.redhat.com/support/errata/RHSA-2006-0677.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/446140/100/0/threaded (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/usn-350-1 (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/usn-351-1 (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/usn-352-1 (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/usn-354-1 (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/usn-361-1 (af854a3a-2127-422b-91ae-364da2661108)
http://www.us-cert.gov/cas/techalerts/TA06-312A.html US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
http://www.us.debian.org/security/2006/dsa-1191 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2006/3617 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2006/3622 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2006/3748 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2006/3899 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2007/0293 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2007/1198 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/0083 (af854a3a-2127-422b-91ae-364da2661108)
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00771742 (af854a3a-2127-422b-91ae-364da2661108)
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00771742 (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/30098 (af854a3a-2127-422b-91ae-364da2661108)
https://issues.rpath.com/browse/RPL-640 (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11007 (af854a3a-2127-422b-91ae-364da2661108)