First published: Tue Feb 14 2023(Updated: )
An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled.
Credit: security@mozilla.org security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/nss | <0:3.44.0-13.el6_10 | 0:3.44.0-13.el6_10 |
redhat/nss | <0:3.79.0-5.el7_9 | 0:3.79.0-5.el7_9 |
redhat/nss | <0:3.79.0-11.el8_7 | 0:3.79.0-11.el8_7 |
redhat/nss | <0:3.44.0-11.el8_1 | 0:3.44.0-11.el8_1 |
redhat/firefox | <0:102.9.0-4.el8_1 | 0:102.9.0-4.el8_1 |
redhat/nss | <0:3.53.1-13.el8_2 | 0:3.53.1-13.el8_2 |
redhat/nss | <0:3.67.0-8.el8_4 | 0:3.67.0-8.el8_4 |
redhat/nss | <0:3.79.0-11.el8_6 | 0:3.79.0-11.el8_6 |
redhat/nss | <0:3.79.0-17.el9_1 | 0:3.79.0-17.el9_1 |
redhat/nss | <0:3.79.0-17.el9_0 | 0:3.79.0-17.el9_0 |
Mozilla Thunderbird | <102.8 | 102.8 |
Mozilla Firefox ESR | <102.8 | 102.8 |
redhat/firefox | <102.8 | 102.8 |
redhat/thunderbird | <102.8 | 102.8 |
redhat/nss | <3.88.1 | 3.88.1 |
redhat/nss | <3.79.4 | 3.79.4 |
Mozilla Firefox | <110 | 110 |
Mozilla Firefox | <110.0 | |
Mozilla Firefox ESR | <102.8 | |
Mozilla Thunderbird | <102.8 | |
debian/firefox | 131.0.2-2 | |
debian/firefox-esr | 115.14.0esr-1~deb11u1 128.3.1esr-1~deb11u1 115.14.0esr-1~deb12u1 128.3.1esr-1~deb12u1 128.3.0esr-2 128.3.1esr-2 | |
debian/nss | 2:3.61-1+deb11u3 2:3.87.1-1 2:3.105-2 | |
debian/thunderbird | 1:115.12.0-1~deb11u1 1:115.16.0esr-1~deb11u1 1:115.12.0-1~deb12u1 1:115.16.0esr-1~deb12u1 1:128.2.0esr-1 1:128.3.0esr-1 | |
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
CVE-2023-0767 is a vulnerability that allows an attacker to construct a PKCS 12 cert bundle that could allow for arbitrary memory writes.
CVE-2023-0767 affects Firefox versions less than 110, Thunderbird versions less than 102.8, and Firefox ESR versions less than 102.8.
An attacker can exploit CVE-2023-0767 by constructing a malicious PKCS 12 cert bundle that triggers mishandling of PKCS 12 Safe Bag attributes, leading to arbitrary memory writes.
CVE-2023-0767 has a severity rating of 8.8, which is considered high.
You can find more information about CVE-2023-0767 in the Mozilla security advisories: [Link to advisory 1](https://www.mozilla.org/security/advisories/mfsa2023-05/), [Link to advisory 2](https://www.mozilla.org/security/advisories/mfsa2023-07/).