{"containers": {"cna": {"affected": [{"product": "Network Security Services (NSS)", "vendor": "NSS", "versions": [{"status": "affected", "version": "All versions prior to NSS 3.39"}]}], "descriptions": [{"lang": "en", "value": "When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3."}], "problemTypes": [{"descriptions": [{"description": "Use of Insufficiently Random Values", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-16T17:40:48", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2018-12384", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Network Security Services (NSS)", "version": {"version_data": [{"version_value": "All versions prior to NSS 3.39"}]}}]}, "vendor_name": "NSS"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Use of Insufficiently Random Values"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384"}, {"name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "refsource": "MISC", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T08:31:00.061Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2018-12384", "datePublished": "2019-04-29T14:22:53", "dateReserved": "2018-06-14T00:00:00", "dateUpdated": "2024-08-05T08:31:00.061Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*", "matchCriteriaId": "9AAFED9E-E2C8-4F07-B9C8-E9D37436AAAA", "versionEndExcluding": "3.39", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3."}, {"lang": "es", "value": "Cuando se maneja una petici\u00f3n ClientHello compatible con SSLv2, el servidor no genera un nuevo valor aleatorio, sino que env\u00eda un valor All-Zero en su lugar. Esto conlleva a una maleabilidad completa del ClientHello para SSLv2 usado para TLS 1.2 en todas las versiones anteriores a NSS 3.39. Esto no afecta a TLS 1.3."}], "id": "CVE-2018-12384", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-29T15:29:00.247", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384"}, {"source": "security@mozilla.org", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-335"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue.", "affected_release": [{"advisory": "RHSA-2018:2898", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "nss-0:3.36.0-9.el6_10", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2018-10-09T00:00:00Z"}, {"advisory": "RHSA-2018:2768", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "nss-0:3.36.0-7.el7_5", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2018-09-25T00:00:00Z"}], "bugzilla": {"description": "nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello", "id": "1622089", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1622089"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "details": ["When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.", "A flaw was found in the way NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. A man-in-the-middle attacker could use this flaw in a passive replay attack."], "name": "CVE-2018-12384", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "nss", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nss", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2018-09-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-12384\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-12384\nhttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.5_release_notes\nhttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes"], "threat_severity": "Moderate", "upstream_fix": "nss 3.36.5, nss 3.39"}