CVE-2017-5462

A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
mozillaCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 76%
VendorProductVersion
debiandebian_linux
8.0
mozillafirefox
𝑥
< 53.0
mozillafirefox
52.0
mozillafirefox_esr
𝑥
< 45.9.0
mozillanetwork_security_services
𝑥
< 3.28.4
mozillathunderbird
𝑥
< 52.1.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
firefox
sid
132.0.1-1
fixed
firefox-esr
bullseye
115.14.0esr-1~deb11u1
fixed
bullseye (security)
128.4.0esr-1~deb11u1
fixed
bookworm
115.14.0esr-1~deb12u1
fixed
bookworm (security)
128.4.0esr-1~deb12u1
fixed
trixie
128.3.1esr-2
fixed
sid
128.4.0esr-1
fixed
nss
bullseye
2:3.61-1+deb11u3
fixed
bullseye (security)
2:3.61-1+deb11u4
fixed
bookworm
2:3.87.1-1
fixed
sid
2:3.105-2
fixed
trixie
2:3.105-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
zesty
Fixed 53.0+build6-0ubuntu0.17.04.1
released
yakkety
Fixed 53.0+build6-0ubuntu0.16.10.1
released
xenial
Fixed 53.0+build6-0ubuntu0.16.04.1
released
trusty
Fixed 53.0+build6-0ubuntu0.14.04.1
released
precise
ignored
nss
zesty
Fixed 2:3.28.4-0ubuntu0.17.04.1
released
yakkety
Fixed 2:3.28.4-0ubuntu0.16.10.1
released
xenial
Fixed 2:3.28.4-0ubuntu0.16.04.1
released
trusty
Fixed 2:3.28.4-0ubuntu0.14.04.1
released
precise
ignored
thunderbird
zesty
Fixed 1:52.1.1+build1-0ubuntu0.17.04.1
released
yakkety
Fixed 1:52.1.1+build1-0ubuntu0.16.10.1
released
xenial
Fixed 1:52.1.1+build1-0ubuntu0.16.04.1
released
trusty
Fixed 1:52.1.1+build1-0ubuntu0.14.04.1
released
precise
ignored
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/97940
http://www.securitytracker.com/id/1038320
https://bugzilla.mozilla.org/show_bug.cgi?id=1345089
https://security.gentoo.org/glsa/201705-04
https://www.debian.org/security/2017/dsa-3831
https://www.debian.org/security/2017/dsa-3872
https://www.mozilla.org/security/advisories/mfsa2017-10/
https://www.mozilla.org/security/advisories/mfsa2017-11/
https://www.mozilla.org/security/advisories/mfsa2017-12/
https://www.mozilla.org/security/advisories/mfsa2017-13/
http://www.securityfocus.com/bid/97940
http://www.securitytracker.com/id/1038320
https://bugzilla.mozilla.org/show_bug.cgi?id=1345089
https://security.gentoo.org/glsa/201705-04
https://www.debian.org/security/2017/dsa-3831
https://www.debian.org/security/2017/dsa-3872
https://www.mozilla.org/security/advisories/mfsa2017-10/
https://www.mozilla.org/security/advisories/mfsa2017-11/
https://www.mozilla.org/security/advisories/mfsa2017-12/
https://www.mozilla.org/security/advisories/mfsa2017-13/