CVE-2019-11745

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.

References

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html

https://access.redhat.com/errata/RHSA-2020:0243

https://access.redhat.com/errata/RHSA-2020:0466

https://bugzilla.mozilla.org/show_bug.cgi?id=1586176

https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf

https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html

https://security.gentoo.org/glsa/202003-02

https://security.gentoo.org/glsa/202003-10

https://security.gentoo.org/glsa/202003-37

https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04

https://usn.ubuntu.com/4241-1/

https://usn.ubuntu.com/4335-1/

https://www.mozilla.org/security/advisories/mfsa2019-36/

https://www.mozilla.org/security/advisories/mfsa2019-37/

https://www.mozilla.org/security/advisories/mfsa2019-38/

Details

Source: MITRE

Published: 2020-01-08

Updated: 2021-02-19

Type: CWE-787

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.8

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*

Configuration 6

AND

OR

cpe:2.3:o:siemens:ruggedcom_rox_mx5000_firmware:*:*:*:*:*:*:*:*

OR

cpe:2.3:h:siemens:ruggedcom_rox_mx5000:-:*:*:*:*:*:*:*

Configuration 7

AND

OR

cpe:2.3:o:siemens:ruggedcom_rox_rx1400_firmware:*:*:*:*:*:*:*:*

OR

cpe:2.3:h:siemens:ruggedcom_rox_rx1400:-:*:*:*:*:*:*:*

Configuration 8

AND

OR

cpe:2.3:o:siemens:ruggedcom_rox_rx1500_firmware:*:*:*:*:*:*:*:*

OR

cpe:2.3:h:siemens:ruggedcom_rox_rx1500:-:*:*:*:*:*:*:*

Configuration 9

AND

OR

cpe:2.3:o:siemens:ruggedcom_rox_rx1501_firmware:*:*:*:*:*:*:*:*

OR

cpe:2.3:h:siemens:ruggedcom_rox_rx1501:-:*:*:*:*:*:*:*

Configuration 10

AND

OR

cpe:2.3:o:siemens:ruggedcom_rox_rx1510_firmware:*:*:*:*:*:*:*:*

OR

cpe:2.3:h:siemens:ruggedcom_rox_rx1510:-:*:*:*:*:*:*:*

Configuration 11

AND

OR

cpe:2.3:o:siemens:ruggedcom_rox_rx1511_firmware:*:*:*:*:*:*:*:*

OR

cpe:2.3:h:siemens:ruggedcom_rox_rx1511:-:*:*:*:*:*:*:*

Configuration 12

AND

OR

cpe:2.3:o:siemens:ruggedcom_rox_rx1512_firmware:*:*:*:*:*:*:*:*

OR

cpe:2.3:h:siemens:ruggedcom_rox_rx1512:-:*:*:*:*:*:*:*

Configuration 13

AND

OR

cpe:2.3:o:siemens:ruggedcom_rox_rx5000_firmware:*:*:*:*:*:*:*:*

OR

cpe:2.3:h:siemens:ruggedcom_rox_rx5000:-:*:*:*:*:*:*:*

Tenable Plugins

View all (49 total)

IDNameProductFamilySeverity
150659SUSE SLES11 Security Update : mozilla-nspr, mozilla-nss (SUSE-SU-2020:14418-1)NessusSuSE Local Security Checks
critical
150601SUSE SLES11 Security Update : MozillaFirefox, mozilla-nspr, mozilla-nss (SUSE-SU-2019:14260-1)NessusSuSE Local Security Checks
high
145655CentOS 8 : nss (CESA-2019:4114)NessusCentOS Local Security Checks
high
144539Virtuozzo 6 : nss-softokn / nss-softokn-devel / etc (VZLSA-2019-4152)NessusVirtuozzo Local Security Checks
high
141062Debian DLA-2388-1 : nss security updateNessusDebian Local Security Checks
critical
135896Ubuntu 16.04 LTS : Thunderbird vulnerabilities (USN-4335-1)NessusUbuntu Local Security Checks
critical
135460RHEL 7 : nss-softokn (RHSA-2020:1461)NessusRed Hat Local Security Checks
high
135250RHEL 7 : nss-softokn (RHSA-2020:1345)NessusRed Hat Local Security Checks
high
135092RHEL 7 : nss-softokn (RHSA-2020:1267)NessusRed Hat Local Security Checks
high
134681Amazon Linux AMI : nss / nss-softokn,nss-util,nspr (ALAS-2020-1355)NessusAmazon Linux Local Security Checks
high
134643GLSA-202003-37 : Mozilla Network Security Service: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
134587GLSA-202003-10 : Mozilla Thunderbird: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
134469GLSA-202003-02 : Mozilla Firefox: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
134322NewStart CGSL MAIN 4.05 : nss-softokn Vulnerability (NS-SA-2020-0018)NessusNewStart CGSL Local Security Checks
high
133635RHEL 6 : nss-softokn (RHSA-2020:0466)NessusRed Hat Local Security Checks
high
133286RHEL 8 : nss (RHSA-2020:0243)NessusRed Hat Local Security Checks
high
133094Amazon Linux 2 : nss (ALAS-2020-1384)NessusAmazon Linux Local Security Checks
high
133085NewStart CGSL CORE 5.05 / MAIN 5.05 : nss Multiple Vulnerabilities (NS-SA-2020-0005)NessusNewStart CGSL Local Security Checks
high
133040Ubuntu 18.04 LTS / 19.10 : Thunderbird vulnerabilities (USN-4241-1)NessusUbuntu Local Security Checks
high
132924SUSE SLED12 / SLES12 Security Update : mozilla-nspr, mozilla-nss (SUSE-SU-2020:0088-1)NessusSuSE Local Security Checks
critical
132849openSUSE Security Update : mozilla-nspr / mozilla-nss (openSUSE-2020-8)NessusSuSE Local Security Checks
critical
132764openSUSE Security Update : MozillaThunderbird (openSUSE-2020-3)NessusSuSE Local Security Checks
high
132763openSUSE Security Update : MozillaFirefox (openSUSE-2020-2)NessusSuSE Local Security Checks
high
132734Amazon Linux 2 : nss-softokn (ALAS-2020-1379)NessusAmazon Linux Local Security Checks
high
132588NewStart CGSL CORE 5.04 / MAIN 5.04 : nss Multiple Vulnerabilities (NS-SA-2019-0262)NessusNewStart CGSL Local Security Checks
high
132518SUSE SLED15 / SLES15 Security Update : mozilla-nspr, mozilla-nss (SUSE-SU-2019:3395-1)NessusSuSE Local Security Checks
critical
132400CentOS 7 : nss / nss-softokn / nss-util (CESA-2019:4190)NessusCentOS Local Security Checks
high
132336SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2019:3347-1)NessusSuSE Local Security Checks
high
132308SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2019:3337-1)NessusSuSE Local Security Checks
high
131988Scientific Linux Security Update : nss-softokn on SL6.x i386/x86_64 (20191210)NessusScientific Linux Local Security Checks
high
131987Scientific Linux Security Update : nss, nss-softokn, nss-util on SL7.x x86_64 (20191210)NessusScientific Linux Local Security Checks
high
131984RHEL 7 : nss, nss-softokn, nss-util (RHSA-2019:4190)NessusRed Hat Local Security Checks
high
131978RHEL 6 : nss-softokn (RHSA-2019:4152)NessusRed Hat Local Security Checks
high
131973Oracle Linux 7 : nss / nss-softokn / nss-util (ELSA-2019-4190)NessusOracle Linux Local Security Checks
high
131972Oracle Linux 6 : nss-softokn (ELSA-2019-4152)NessusOracle Linux Local Security Checks
high
131959CentOS 6 : nss-softokn (CESA-2019:4152)NessusCentOS Local Security Checks
high
131956Mozilla Thunderbird < 68.3NessusWindows
high
131955Mozilla Thunderbird < 68.3NessusMacOS X Local Security Checks
high
131924Ubuntu 18.04 LTS / 19.04 / 19.10 : firefox vulnerabilities (USN-4216-1)NessusUbuntu Local Security Checks
high
131920RHEL 8 : nss (RHSA-2019:4114)NessusRed Hat Local Security Checks
high
131915Oracle Linux 8 : nss (ELSA-2019-4114)NessusOracle Linux Local Security Checks
high
131784Debian DSA-4579-1 : nss - security updateNessusDebian Local Security Checks
high
131773Mozilla Firefox < 71.0NessusWindows
high
131772Mozilla Firefox < 71.0NessusMacOS X Local Security Checks
high
131767Mozilla Firefox ESR 68.x < 68.3 Multiple vulnerabilitiesNessusWindows
high
131766Mozilla Firefox ESR 68.x < 68.3 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
high
131681Slackware 14.2 / current : mozilla-firefox (SSA:2019-337-01)NessusSlackware Local Security Checks
high
131559Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : NSS vulnerability (USN-4203-1)NessusUbuntu Local Security Checks
high
131293Debian DLA-2008-1 : nss security updateNessusDebian Local Security Checks
high