CVE-2019-11745MEDIUM
Description
When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.
References
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html
https://access.redhat.com/errata/RHSA-2020:0243
https://access.redhat.com/errata/RHSA-2020:0466
https://bugzilla.mozilla.org/show_bug.cgi?id=1586176
https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf
https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html
https://security.gentoo.org/glsa/202003-02
https://security.gentoo.org/glsa/202003-10
https://security.gentoo.org/glsa/202003-37
https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04
https://usn.ubuntu.com/4241-1/
https://usn.ubuntu.com/4335-1/
https://www.mozilla.org/security/advisories/mfsa2019-36/
Details
Source: MITRE
Published: 2020-01-08
Updated: 2021-02-19
Type: CWE-787
Risk Information
CVSS v2.0
Base Score: 6.8
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Impact Score: 6.4
Exploitability Score: 8.6
Severity: MEDIUM
CVSS v3.0
Base Score: 8.8
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 2.8
Severity: HIGH
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Configuration 2
OR
Configuration 3
OR
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Configuration 4
OR
Configuration 5
OR
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
Configuration 6
AND
OR
cpe:2.3:o:siemens:ruggedcom_rox_mx5000_firmware:*:*:*:*:*:*:*:*
OR
Configuration 7
AND
OR
cpe:2.3:o:siemens:ruggedcom_rox_rx1400_firmware:*:*:*:*:*:*:*:*
OR
Configuration 8
AND
OR
cpe:2.3:o:siemens:ruggedcom_rox_rx1500_firmware:*:*:*:*:*:*:*:*
OR
Configuration 9
AND
OR
cpe:2.3:o:siemens:ruggedcom_rox_rx1501_firmware:*:*:*:*:*:*:*:*
OR
Configuration 10
AND
OR
cpe:2.3:o:siemens:ruggedcom_rox_rx1510_firmware:*:*:*:*:*:*:*:*
OR
Configuration 11
AND
OR
cpe:2.3:o:siemens:ruggedcom_rox_rx1511_firmware:*:*:*:*:*:*:*:*
OR
Configuration 12
AND
OR
cpe:2.3:o:siemens:ruggedcom_rox_rx1512_firmware:*:*:*:*:*:*:*:*
OR
Configuration 13
AND
OR
cpe:2.3:o:siemens:ruggedcom_rox_rx5000_firmware:*:*:*:*:*:*:*:*
OR
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 145655 | CentOS 8 : nss (CESA-2019:4114) | Nessus | CentOS Local Security Checks | medium |
| 144539 | Virtuozzo 6 : nss-softokn / nss-softokn-devel / etc (VZLSA-2019-4152) | Nessus | Virtuozzo Local Security Checks | medium |
| 141062 | Debian DLA-2388-1 : nss security update | Nessus | Debian Local Security Checks | critical |
| 135896 | Ubuntu 16.04 LTS : Thunderbird vulnerabilities (USN-4335-1) | Nessus | Ubuntu Local Security Checks | high |
| 135460 | RHEL 7 : nss-softokn (RHSA-2020:1461) | Nessus | Red Hat Local Security Checks | medium |
| 135250 | RHEL 7 : nss-softokn (RHSA-2020:1345) | Nessus | Red Hat Local Security Checks | medium |
| 135092 | RHEL 7 : nss-softokn (RHSA-2020:1267) | Nessus | Red Hat Local Security Checks | medium |
| 134681 | Amazon Linux AMI : nss / nss-softokn,nss-util,nspr (ALAS-2020-1355) | Nessus | Amazon Linux Local Security Checks | medium |
| 134643 | GLSA-202003-37 : Mozilla Network Security Service: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | medium |
| 134587 | GLSA-202003-10 : Mozilla Thunderbird: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | high |
| 134469 | GLSA-202003-02 : Mozilla Firefox: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | high |
| 134322 | NewStart CGSL MAIN 4.05 : nss-softokn Vulnerability (NS-SA-2020-0018) | Nessus | NewStart CGSL Local Security Checks | medium |
| 133635 | RHEL 6 : nss-softokn (RHSA-2020:0466) | Nessus | Red Hat Local Security Checks | medium |
| 133286 | RHEL 8 : nss (RHSA-2020:0243) | Nessus | Red Hat Local Security Checks | medium |
| 133094 | Amazon Linux 2 : nss (ALAS-2020-1384) | Nessus | Amazon Linux Local Security Checks | medium |
| 133085 | NewStart CGSL CORE 5.05 / MAIN 5.05 : nss Multiple Vulnerabilities (NS-SA-2020-0005) | Nessus | NewStart CGSL Local Security Checks | medium |
| 133040 | Ubuntu 18.04 LTS / 19.10 : Thunderbird vulnerabilities (USN-4241-1) | Nessus | Ubuntu Local Security Checks | medium |
| 132924 | SUSE SLED12 / SLES12 Security Update : mozilla-nspr, mozilla-nss (SUSE-SU-2020:0088-1) | Nessus | SuSE Local Security Checks | critical |
| 132849 | openSUSE Security Update : mozilla-nspr / mozilla-nss (openSUSE-2020-8) | Nessus | SuSE Local Security Checks | critical |
| 132764 | openSUSE Security Update : MozillaThunderbird (openSUSE-2020-3) | Nessus | SuSE Local Security Checks | medium |
| 132763 | openSUSE Security Update : MozillaFirefox (openSUSE-2020-2) | Nessus | SuSE Local Security Checks | medium |
| 132734 | Amazon Linux 2 : nss-softokn (ALAS-2020-1379) | Nessus | Amazon Linux Local Security Checks | medium |
| 132588 | NewStart CGSL CORE 5.04 / MAIN 5.04 : nss Multiple Vulnerabilities (NS-SA-2019-0262) | Nessus | NewStart CGSL Local Security Checks | medium |
| 132518 | SUSE SLED15 / SLES15 Security Update : mozilla-nspr, mozilla-nss (SUSE-SU-2019:3395-1) | Nessus | SuSE Local Security Checks | critical |
| 132400 | CentOS 7 : nss / nss-softokn / nss-util (CESA-2019:4190) | Nessus | CentOS Local Security Checks | medium |
| 132336 | SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2019:3347-1) | Nessus | SuSE Local Security Checks | medium |
| 132308 | SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2019:3337-1) | Nessus | SuSE Local Security Checks | medium |
| 131988 | Scientific Linux Security Update : nss-softokn on SL6.x i386/x86_64 (20191210) | Nessus | Scientific Linux Local Security Checks | medium |
| 131987 | Scientific Linux Security Update : nss, nss-softokn, nss-util on SL7.x x86_64 (20191210) | Nessus | Scientific Linux Local Security Checks | medium |
| 131984 | RHEL 7 : nss, nss-softokn, nss-util (RHSA-2019:4190) | Nessus | Red Hat Local Security Checks | medium |
| 131978 | RHEL 6 : nss-softokn (RHSA-2019:4152) | Nessus | Red Hat Local Security Checks | medium |
| 131973 | Oracle Linux 7 : nss / nss-softokn / nss-util (ELSA-2019-4190) | Nessus | Oracle Linux Local Security Checks | medium |
| 131972 | Oracle Linux 6 : nss-softokn (ELSA-2019-4152) | Nessus | Oracle Linux Local Security Checks | medium |
| 131959 | CentOS 6 : nss-softokn (CESA-2019:4152) | Nessus | CentOS Local Security Checks | medium |
| 131956 | Mozilla Thunderbird < 68.3 | Nessus | Windows | medium |
| 131955 | Mozilla Thunderbird < 68.3 | Nessus | MacOS X Local Security Checks | medium |
| 131924 | Ubuntu 18.04 LTS / 19.04 / 19.10 : firefox vulnerabilities (USN-4216-1) | Nessus | Ubuntu Local Security Checks | medium |
| 131920 | RHEL 8 : nss (RHSA-2019:4114) | Nessus | Red Hat Local Security Checks | medium |
| 131915 | Oracle Linux 8 : nss (ELSA-2019-4114) | Nessus | Oracle Linux Local Security Checks | medium |
| 131784 | Debian DSA-4579-1 : nss - security update | Nessus | Debian Local Security Checks | medium |
| 131773 | Mozilla Firefox < 71.0 | Nessus | Windows | medium |
| 131772 | Mozilla Firefox < 71.0 | Nessus | MacOS X Local Security Checks | medium |
| 131767 | Mozilla Firefox ESR 68.x < 68.3 Multiple vulnerabilities | Nessus | Windows | medium |
| 131766 | Mozilla Firefox ESR 68.x < 68.3 Multiple Vulnerabilities | Nessus | MacOS X Local Security Checks | medium |
| 131681 | Slackware 14.2 / current : mozilla-firefox (SSA:2019-337-01) | Nessus | Slackware Local Security Checks | medium |
| 131559 | Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : NSS vulnerability (USN-4203-1) | Nessus | Ubuntu Local Security Checks | medium |
| 131293 | Debian DLA-2008-1 : nss security update | Nessus | Debian Local Security Checks | medium |