{"containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "affected", "version": "before 71"}]}], "descriptions": [{"lang": "en", "value": "Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71."}], "problemTypes": [{"descriptions": [{"description": "Use-after-free of SFTKSession object", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-08T19:23:29", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-36/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1508776"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11756", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Firefox", "version": {"version_data": [{"version_value": "before 71"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Use-after-free of SFTKSession object"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2019-36/", "refsource": "CONFIRM", "url": "https://www.mozilla.org/security/advisories/mfsa2019-36/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1508776", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1508776"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:03:32.815Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-36/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1508776"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11756", "datePublished": "2020-01-08T19:23:29", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.815Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "13CA3D58-3E63-46A9-9E84-0EE98E85FCCD", "versionEndExcluding": "71.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71."}, {"lang": "es", "value": "Un recuento de referencias inapropiado de los objetos de sesi\u00f3n de token programable podr\u00eda causar un uso de la memoria previamente liberada y un bloqueo (probablemente limitado a una denegaci\u00f3n de servicio). Esta vulnerabilidad afecta a Firefox versiones anteriores a la veris\u00f3n 71."}], "id": "CVE-2019-11756", "lastModified": "2020-01-13T18:02:54.793", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-08T20:15:12.390", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1508776"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-36/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:4076", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "nspr-0:4.25.0-2.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-09-29T00:00:00Z"}, {"advisory": "RHSA-2020:4076", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "nss-0:3.53.1-3.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-09-29T00:00:00Z"}, {"advisory": "RHSA-2020:4076", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "nss-softokn-0:3.53.1-6.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-09-29T00:00:00Z"}, {"advisory": "RHSA-2020:4076", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "nss-util-0:3.53.1-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-09-29T00:00:00Z"}, {"advisory": "RHSA-2021:0758", "cpe": "cpe:/o:redhat:rhel_aus:7.4", "package": "nss-softokn-0:3.28.3-10.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Advanced Update Support", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0758", "cpe": "cpe:/o:redhat:rhel_tus:7.4", "package": "nss-softokn-0:3.28.3-10.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Telco Extended Update Support", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0758", "cpe": "cpe:/o:redhat:rhel_e4s:7.4", "package": "nss-softokn-0:3.28.3-10.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0876", "cpe": "cpe:/o:redhat:rhel_eus:7.6", "package": "nss-0:3.36.0-9.el7_6", "product_name": "Red Hat Enterprise Linux 7.6 Extended Update Support", "release_date": "2021-03-16T00:00:00Z"}, {"advisory": "RHSA-2021:0876", "cpe": "cpe:/o:redhat:rhel_eus:7.6", "package": "nss-softokn-0:3.36.0-7.el7_6", "product_name": "Red Hat Enterprise Linux 7.6 Extended Update Support", "release_date": "2021-03-16T00:00:00Z"}, {"advisory": "RHSA-2021:1026", "cpe": "cpe:/o:redhat:rhel_eus:7.7", "package": "nss-softokn-0:3.44.0-9.el7_7", "product_name": "Red Hat Enterprise Linux 7.7 Extended Update Support", "release_date": "2021-03-30T00:00:00Z"}, {"advisory": "RHSA-2020:3280", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nspr-0:4.25.0-2.el8_2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3280", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nss-0:3.53.1-11.el8_2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2021:0949", "cpe": "cpe:/a:redhat:openshift_do:1.0::el7", "package": "openshiftdo/odo-init-image-rhel7:1.1.3-2", "product_name": "Red Hat OpenShift Do", "release_date": "2021-03-22T00:00:00Z"}], "bugzilla": {"description": "nss: Use-after-free in sftk_FreeSession due to improper refcounting", "id": "1774835", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1774835"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71.", "A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS."], "name": "CVE-2019-11756", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "nss", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "nss", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2019-12-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-11756\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-11756\nhttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47_release_notes"], "statement": "This flaw was fixed in upstream nss-3.47. Exploitation of this flaw is difficult and even impossible in most cases.", "threat_severity": "Moderate", "upstream_fix": "nss 3.47"}