{"containers": {"cna": {"affected": [{"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "affected", "version": "before 68.3"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"status": "affected", "version": "before 68.3"}]}, {"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "affected", "version": "before 71"}]}], "descriptions": [{"lang": "en", "value": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71."}], "problemTypes": [{"descriptions": [{"description": "Out of bounds write in NSS when encrypting with a block cipher", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-02-12T06:08:36", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-36/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-38/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-37/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176"}, {"name": "openSUSE-SU-2020:0003", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html"}, {"name": "openSUSE-SU-2020:0002", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html"}, {"name": "openSUSE-SU-2020:0008", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html"}, {"name": "USN-4241-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4241-1/"}, {"name": "RHSA-2020:0243", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0243"}, {"name": "RHSA-2020:0466", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0466"}, {"name": "GLSA-202003-02", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-02"}, {"name": "GLSA-202003-10", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-10"}, {"name": "GLSA-202003-37", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-37"}, {"name": "USN-4335-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4335-1/"}, {"name": "[debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11745", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Thunderbird", "version": {"version_data": [{"version_value": "before 68.3"}]}}, {"product_name": "Firefox ESR", "version": {"version_data": [{"version_value": "before 68.3"}]}}, {"product_name": "Firefox", "version": {"version_data": [{"version_value": "before 71"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Out of bounds write in NSS when encrypting with a block cipher"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2019-36/", "refsource": "CONFIRM", "url": "https://www.mozilla.org/security/advisories/mfsa2019-36/"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2019-38/", "refsource": "CONFIRM", "url": "https://www.mozilla.org/security/advisories/mfsa2019-38/"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2019-37/", "refsource": "CONFIRM", "url": "https://www.mozilla.org/security/advisories/mfsa2019-37/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176"}, {"name": "openSUSE-SU-2020:0003", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html"}, {"name": "openSUSE-SU-2020:0002", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html"}, {"name": "openSUSE-SU-2020:0008", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html"}, {"name": "USN-4241-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4241-1/"}, {"name": "RHSA-2020:0243", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0243"}, {"name": "RHSA-2020:0466", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0466"}, {"name": "GLSA-202003-02", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-02"}, {"name": "GLSA-202003-10", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-10"}, {"name": "GLSA-202003-37", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-37"}, {"name": "USN-4335-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4335-1/"}, {"name": "[debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf"}, {"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:03:32.560Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-36/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-38/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-37/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176"}, {"name": "openSUSE-SU-2020:0003", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html"}, {"name": "openSUSE-SU-2020:0002", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html"}, {"name": "openSUSE-SU-2020:0008", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html"}, {"name": "USN-4241-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4241-1/"}, {"name": "RHSA-2020:0243", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0243"}, {"name": "RHSA-2020:0466", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0466"}, {"name": "GLSA-202003-02", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-02"}, {"name": "GLSA-202003-10", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-10"}, {"name": "GLSA-202003-37", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-37"}, {"name": "USN-4335-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4335-1/"}, {"name": "[debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11745", "datePublished": "2020-01-08T19:22:00", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.560Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "13CA3D58-3E63-46A9-9E84-0EE98E85FCCD", "versionEndExcluding": "71.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E44031F-A65C-47ED-BE96-D95E9C013208", "versionEndExcluding": "68.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "8620BC60-0832-426B-8B96-8AC49FBD1ACA", "versionEndExcluding": "68.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*", "matchCriteriaId": "16E6D998-B41D-4B49-9E00-8336D2E40A4A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:ruggedcom_rox_mx5000:-:*:*:*:*:*:*:*", "matchCriteriaId": "DAD1B18F-9C37-48CC-92E2-9C5E66B206CB", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:ruggedcom_rox_mx5000_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B09C415-21F2-49C9-BFAE-2151C8ED4D06", "versionEndExcluding": "2.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:ruggedcom_rox_rx1400:-:*:*:*:*:*:*:*", "matchCriteriaId": "12BD4008-DB6A-4749-A426-D2DE44819A9D", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:ruggedcom_rox_rx1400_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F196C09E-4C45-42D5-B509-7EB77F6566F1", "versionEndExcluding": "2.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:ruggedcom_rox_rx1500:-:*:*:*:*:*:*:*", "matchCriteriaId": "3E79B422-C844-411C-AA49-CFD73D3C6E2D", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:ruggedcom_rox_rx1500_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "13D72F66-A1B2-4FB7-B31B-EF16955BC871", "versionEndExcluding": "2.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:ruggedcom_rox_rx1501:-:*:*:*:*:*:*:*", "matchCriteriaId": "53AAEC5C-06EE-4C58-A981-EBF5860CEF16", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:ruggedcom_rox_rx1501_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "CB658DF3-A68F-4248-B240-9194E17941E1", "versionEndExcluding": "2.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:ruggedcom_rox_rx1510:-:*:*:*:*:*:*:*", "matchCriteriaId": "0751225A-6E9C-4281-93A4-A048920FF7C6", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:ruggedcom_rox_rx1510_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E16E621D-84DB-4F0D-A771-5E282B0292B2", "versionEndExcluding": "2.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:ruggedcom_rox_rx1511:-:*:*:*:*:*:*:*", "matchCriteriaId": "8C1E56ED-1E61-4B7E-8EC0-BB2AAD57EF7B", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:ruggedcom_rox_rx1511_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "059624DD-C1C8-408C-8026-D4FBC93C3CF9", "versionEndExcluding": "2.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:ruggedcom_rox_rx1512:-:*:*:*:*:*:*:*", "matchCriteriaId": "41ADD701-AD49-46B2-A12E-219CCED32298", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:ruggedcom_rox_rx1512_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "06AF9201-89AB-42E6-97CF-9EDDC17EF7AE", "versionEndExcluding": "2.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:ruggedcom_rox_rx5000_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "2656219C-7E23-47F7-AFB7-0D6D3D2ACA85", "versionEndExcluding": "2.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:ruggedcom_rox_rx5000:-:*:*:*:*:*:*:*", "matchCriteriaId": "1E0E33F2-E89B-4008-BED2-CF2296801078", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71."}, {"lang": "es", "value": "Al encriptar con un cifrado de bloque, si se realiz\u00f3 una llamada a NSC_EncryptUpdate con datos m\u00e1s peque\u00f1os que el tama\u00f1o del bloque, podr\u00eda producirse una peque\u00f1a escritura fuera de l\u00edmites. Esto podr\u00eda haber causado una corrupci\u00f3n de la pila y un bloqueo explotable potencialmente. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a la versi\u00f3n 68.3, Firefox ESR versiones anteriores a la versi\u00f3n 68.3 y Firefox versiones anteriores a la versi\u00f3n 71."}], "id": "CVE-2019-11745", "lastModified": "2021-02-19T17:22:17.650", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-08T20:15:12.313", "references": [{"source": "security@mozilla.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html"}, {"source": "security@mozilla.org", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html"}, {"source": "security@mozilla.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0243"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0466"}, {"source": "security@mozilla.org", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf"}, {"source": "security@mozilla.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-02"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-10"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-37"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4241-1/"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4335-1/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-36/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-37/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-38/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla Project for reporting this issue.", "affected_release": [{"advisory": "RHBA-2020:0547", "cpe": "cpe:/a:redhat:ansible_tower:3.4::el7", "package": "ansible-tower-34/ansible-tower-memcached:1.4.15-28", "product_name": "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date": "2020-02-18T00:00:00Z"}, {"advisory": "RHBA-2020:0547", "cpe": "cpe:/a:redhat:ansible_tower:3.4::el7", "package": "ansible-tower-35/ansible-tower-memcached:1.4.15-28", "product_name": "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date": "2020-02-18T00:00:00Z"}, {"advisory": "RHBA-2020:0547", "cpe": "cpe:/a:redhat:ansible_tower:3.4::el7", "package": "ansible-tower-37/ansible-tower-memcached-rhel7:1.4.15-28", "product_name": "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date": "2020-02-18T00:00:00Z"}, {"advisory": "RHSA-2019:4152", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "nss-softokn-0:3.44.0-6.el6_10", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2019-12-10T00:00:00Z"}, {"advisory": "RHSA-2020:0466", "cpe": "cpe:/o:redhat:rhel_aus:6.6", "package": "nss-softokn-0:3.14.3-23.el6_6", "product_name": "Red Hat Enterprise Linux 6.6 Advanced Update Support", "release_date": "2020-02-11T00:00:00Z"}, {"advisory": "RHSA-2019:4190", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "nss-0:3.44.0-7.el7_7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-12-10T00:00:00Z"}, {"advisory": "RHSA-2019:4190", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "nss-softokn-0:3.44.0-8.el7_7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-12-10T00:00:00Z"}, {"advisory": "RHSA-2019:4190", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "nss-util-0:3.44.0-4.el7_7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-12-10T00:00:00Z"}, {"advisory": "RHSA-2020:1345", "cpe": "cpe:/o:redhat:rhel_aus:7.4", "package": "nss-softokn-0:3.28.3-9.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Advanced Update Support", "release_date": "2020-04-07T00:00:00Z"}, {"advisory": "RHSA-2020:1345", "cpe": "cpe:/o:redhat:rhel_tus:7.4", "package": "nss-softokn-0:3.28.3-9.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Telco Extended Update Support", "release_date": "2020-04-07T00:00:00Z"}, {"advisory": "RHSA-2020:1345", "cpe": "cpe:/o:redhat:rhel_e4s:7.4", "package": "nss-softokn-0:3.28.3-9.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions", "release_date": "2020-04-07T00:00:00Z"}, {"advisory": "RHSA-2020:1267", "cpe": "cpe:/o:redhat:rhel_eus:7.5", "package": "nss-softokn-0:3.36.0-6.el7_5", "product_name": "Red Hat Enterprise Linux 7.5 Extended Update Support", "release_date": "2020-04-01T00:00:00Z"}, {"advisory": "RHSA-2020:1461", "cpe": "cpe:/o:redhat:rhel_eus:7.6", "package": "nss-softokn-0:3.36.0-6.el7_6", "product_name": "Red Hat Enterprise Linux 7.6 Extended Update Support", "release_date": "2020-04-14T00:00:00Z"}, {"advisory": "RHSA-2019:4114", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nss-0:3.44.0-9.el8_1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-12-09T00:00:00Z"}, {"advisory": "RHSA-2020:0243", "cpe": "cpe:/a:redhat:rhel_e4s:8.0", "package": "nss-0:3.44.0-8.el8_0", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-01-27T00:00:00Z"}], "bugzilla": {"description": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", "id": "1774831", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1774831"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-787", "details": ["When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.", "A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well."], "name": "CVE-2019-11745", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "nss", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2019-11-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-11745\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-11745\nhttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes\nhttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes"], "statement": "Firefox and Thunderbird on Red Hat Enterprise Linux are built against the system nss library.", "threat_severity": "Important", "upstream_fix": "nss 3.44.3, nss 3.47.1"}