CVE-2020-12403
Severity
9.1CRITICAL
EPSS
0.6%
top 29.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 27
Latest updateMay 24
Description
A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2
Affected Packages3 packages
Patches
🔴Vulnerability Details
3GHSA▶
GHSA-9h25-47mw-52hh: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3↗2022-05-24
OSV▶
CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3↗2021-05-27
CVEList▶
CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3↗2021-05-27
📋Vendor Advisories
4Microsoft▶
A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20 it could cause out-of-bounds reads. This issue was fixed by explicitly disa↗2021-05-11
Red Hat
▶
Debian▶
CVE-2020-12403: nss - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions...↗2020