CVE-2020-12399 — Observable Discrepancy in Mozilla Firefox

CWE-203 — Observable Discrepancy CWE-327 — Use of a Broken or Risky Cryptographic Algorithm21 documents9 sources

Severity

4.4MEDIUMNVD

OSV7.5OSV6.5

EPSS

0.1%

top 73.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird +2 more

Timeline

PublishedJul 9

Latest updateMay 24

Description

NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 0.8 | Impact: 3.6

Affected Packages11 packages

▶CVEListV5mozilla/firefoxunspecified — 77

▶NVDmozilla/firefox< 77.0

▶CVEListV5mozilla/firefox_esrunspecified — 68.9

▶NVDmozilla/firefox_esr< 68.9.0

▶Ubuntumozilla/firefox< 77.0.1+build1-0ubuntu0.16.04.1+2

Also affects: Debian Linux 9.0

🔴Vulnerability Details

GHSA

GHSA-fq62-4j88-qq7x: NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys↗2022-05-24

▶

OSV

CVE-2020-12399: NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys↗2020-07-09

▶

CVEList

CVE-2020-12399: NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys↗2020-07-09

▶

OSV

thunderbird vulnerabilities↗2020-07-08

▶

OSV

nss vulnerability↗2020-06-17

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2020-07-08

▶

Ubuntu

NSS vulnerability↗2020-06-17

▶

Ubuntu

NSS vulnerabilities↗2020-06-16

▶

Ubuntu

Firefox vulnerabilities↗2020-06-04

▶

Red Hat

nss: Timing attack on DSA signature generation↗2020-05-21

▶

💬Community

Bugzilla

CVE-2020-12399 nss: Timing attack on DSA signature generation [fedora-all]↗2020-05-21

▶

Bugzilla

CVE-2020-12399 nss: Timing attack on DSA signature generation↗2020-04-21

▶

Bugzilla

Timing attack on DSA on NSS library↗2020-04-20

▶

Bugzilla

CVE-2019-12399 kafka: Connect REST API exposes plaintext secrets in tasks endpoint↗2020-01-30

▶