CVE-2019-17023

MEDIUM

Description

After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1590001

https://usn.ubuntu.com/4234-1/

https://usn.ubuntu.com/4397-1/

https://www.debian.org/security/2020/dsa-4726

https://www.mozilla.org/security/advisories/mfsa2020-01/

Details

Source: MITRE

Published: 2020-01-08

Updated: 2020-07-18

Type: CWE-287

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Impact Score: 3.6

Exploitability Score: 2.8

Severity: MEDIUM

Tenable Plugins

View all (6 total)

ID	Name	Product	Family	Severity
139293	RHEL 8 : nss and nspr (RHSA-2020:3280)	Nessus	Red Hat Local Security Checks	medium
138646	Debian DSA-4726-1 : nss - security update	Nessus	Debian Local Security Checks	medium
137555	Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : nss vulnerabilities (USN-4397-1)	Nessus	Ubuntu Local Security Checks	medium
132854	Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : firefox vulnerabilities (USN-4234-1)	Nessus	Ubuntu Local Security Checks	medium
132709	Mozilla Firefox < 72.0 Multiple Vulnerabilities	Nessus	Windows	medium
132708	Mozilla Firefox < 72.0 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	medium