Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate. (CVE-2016-1950)
Impact
When this vulnerability is exploited, an attacker may be able to execute arbitrary code. While this vulnerable code exists in BIG-IP, BIG-IQ, and Enterprise Manager products, the default standard configuration does not use the code in a way that makes this issue exploitable. If the BIG-IP system is configured with a custom monitor that calls external scripts, and the external scripts use the vulnerable NSS libraries to parse ASN.1 data, then the BIG-IP system could be exposed to this vulnerability.