Untrusted search path in nss (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2011-3640 |
| CWE-ID | CWE-426 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
nss (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Untrusted search path
EUVDB-ID: #VU33693
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-3640
CWE-ID:
CWE-426 - Untrusted Search Path
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to execute arbitrary code.
** DISPUTED ** Untrusted search path vulnerability in Mozilla Network Security Services (NSS), as used in Google Chrome before 17 on Windows and Mac OS X, might allow local users to gain privileges via a Trojan horse pkcs11.txt file in a top-level directory. NOTE: the vendor's response was "Strange behavior, but we're not treating this as a security bug."
MitigationInstall update from vendor's website.
Vulnerable software versionsnss (Alpine package): 3.12.8-r0
CPE2.3 External linkshttps://git.alpinelinux.org/aports/commit/?id=9abcd899b8e98b5c862f44331591f9d64fefaff5
https://git.alpinelinux.org/aports/commit/?id=7949eba01b305bbf4ad50858aa1e56d6a92ee933
https://git.alpinelinux.org/aports/commit/?id=4f73d2d7b4f2ba743c47e8be0248da03661af1d7
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
