PT-2019-5413 · Mozilla+6 · Network Security Services+6

Published

2019-09-10

·

Updated

2024-06-15

·

CVE-2019-17006

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Network Security Services (NSS) versions prior to 3.46
Description The issue arises from missing length checks in several cryptographic primitives. If the application using the library does not perform a sanity check on the inputs, it could result in a crash due to a buffer overflow. This can potentially allow a remote attacker to execute arbitrary code.
Recommendations For versions prior to 3.46, update to version 3.46 or later to resolve the issue. As a temporary workaround, consider implementing input sanity checks in the application calling the NSS library to minimize the risk of exploitation.

Exploit

Fix

Insufficient Verification of Data Authenticity

RCE

Heap Based Buffer Overflow

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-345CWE-20CWE-122CWE-119

Related Identifiers

ALT-PU-2019-2672
ALT-PU-2020-1616
BDU:2020-02871
CESA-2020_3280
CESA-2020_4076
CVE-2019-17006
DLA-2058-1
DLA-2388-1
DSA-4726-1
OESA-2021-1059
OPENSUSE-SU-2020:0008-1
OPENSUSE-SU-2020:0854-1
OPENSUSE-SU-2020_0008-1
OPENSUSE-SU-2020_0854-1
OPENSUSE-SU-2024:11058-1
RHSA-2020:3280
RHSA-2020:4076
RHSA-2020_3280
RHSA-2020_4076
RHSA-2021:0758
RHSA-2021:0876
RHSA-2021:1026
RLSA-2020:3280
SUSE-SU-2019:3395-1
SUSE-SU-2020:0088-1
SUSE-SU-2020:14418-1
SUSE-SU-2020:1677-1
SUSE-SU-2020:1839-1
SUSE-SU-2020_1677-1
SUSE-SU-2020_1839-1
USN-4231-1

Affected Products

Alt Linux
Centos
Network Security Services
Red Hat
Rocky Linux
Suse
Ubuntu