CVE-2013-1620 — Observable Discrepancy in Mozilla Network Security Services
Severity
4.3MEDIUMNVD
CNA2.6OSV2.6
EPSS
0.8%
top 25.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 8
Latest updateMay 14
Description
The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
CVSS vector
AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9
Affected Packages13 packages
Also affects: Ubuntu Linux 10.04, 11.10, 12.04, 12.10, Enterprise Linux 5.9
🔴Vulnerability Details
3GHSA▶
GHSA-4pp6-m86c-j4gj: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check o↗2022-05-14
OSV▶
CVE-2013-1620: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check o↗2013-02-08
CVEList▶
CVE-2013-1620: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check o↗2013-02-08