CVE-2019-17006

CWE-20 — Improper Input Validation CWE-119 — Buffer Overflow CWE-345 CWE-122 — Heap-based Buffer Overflow8 documents8 sources

Severity

9.8CRITICAL

EPSS

3.0%

top 13.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla NSS Mozilla Network Security Services Siemens Ruggedcom ROX Mx5000 Firmware +7 more

Timeline

PublishedOct 22

Latest updateMay 24

Description

In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages11 packages

▶NVDmozilla/network_security_services< 3.46

▶CVEListV5mozilla/nssunspecified — 3.46

▶NVDsiemens/ruggedcom_rox_mx5000_firmware< 2.14.0

▶NVDsiemens/ruggedcom_rox_rx1400_firmware< 2.14.0

▶NVDsiemens/ruggedcom_rox_rx1500_firmware< 2.14.0

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-h4cr-x49j-2r7w: In Network Security Services (NSS) before 3↗2022-05-24

▶

CVEList

CVE-2019-17006: In Network Security Services (NSS) before 3↗2020-10-22

▶

OSV

CVE-2019-17006: In Network Security Services (NSS) before 3↗2020-10-22

▶

📋Vendor Advisories

Ubuntu

NSS vulnerability↗2020-01-08

▶

Red Hat

nss: Check length of inputs for cryptographic primitives↗2019-12-26

▶

Debian

CVE-2019-17006: nss - In Network Security Services (NSS) before 3.46, several cryptographic primitives...↗2019

▶

💬Community

Bugzilla

CVE-2019-17006 nss: Check length of inputs for cryptographic primitives↗2019-11-23

▶