CVE-2019-17007

CWE-295 — Improper Certificate Validation CWE-476 — NULL Pointer Dereference8 documents8 sources

Severity

7.5HIGH

EPSS

0.3%

top 46.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla NSS Mozilla Network Security Services Siemens Ruggedcom ROX Mx5000 Firmware +7 more

Timeline

PublishedOct 22

Latest updateMay 24

Description

In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages11 packages

▶NVDmozilla/network_security_services< 3.44

▶CVEListV5mozilla/nssunspecified — 3.44

▶NVDsiemens/ruggedcom_rox_mx5000_firmware< 2.14.0

▶NVDsiemens/ruggedcom_rox_rx1400_firmware< 2.14.0

▶NVDsiemens/ruggedcom_rox_rx1500_firmware< 2.14.0

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-fcjm-r5rj-fq7w: In Network Security Services before 3↗2022-05-24

▶

CVEList

CVE-2019-17007: In Network Security Services before 3↗2020-10-22

▶

OSV

CVE-2019-17007: In Network Security Services before 3↗2020-10-22

▶

📋Vendor Advisories

Ubuntu

NSS vulnerability↗2019-12-09

▶

Red Hat

nss: Handling of Netscape Certificate Sequences in CERT_DecodeCertPackage() may crash with a NULL deref leading to DoS↗2019-03-21

▶

Debian

CVE-2019-17007: nss - In Network Security Services before 3.44, a malformed Netscape Certificate Seque...↗2019

▶

💬Community

Bugzilla

CVE-2019-17007 nss: Handling of Netscape Certificate Sequences in CERT_DecodeCertPackage() may crash with a NULL deref leading to DoS↗2019-04-29

▶