// For flags

CVE-2019-17006

nss: Check length of inputs for cryptographic primitives

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.

En Network Security Services (NSS) versiones anteriores a 3.46, varias primitivas criptográficas presentaban una falta de comprobación de longitud. En los casos en que la aplicación que llama a la biblioteca no llevó a cabo una comprobación de saneo en las entradas, lo que podría resultar en un bloqueo debido a un desbordamiento del búfer

A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-09-30 CVE Reserved
  • 2020-01-09 CVE Published
  • 2024-04-13 EPSS Updated
  • 2024-08-05 CVE Updated
  • 2024-08-05 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-20: Improper Input Validation
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-122: Heap-based Buffer Overflow
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Siemens
Search vendor "Siemens"
Ruggedcom Rox Mx5000 Firmware
Search vendor "Siemens" for product "Ruggedcom Rox Mx5000 Firmware"
< 2.14.0
Search vendor "Siemens" for product "Ruggedcom Rox Mx5000 Firmware" and version " < 2.14.0"
-
Affected
in Siemens
Search vendor "Siemens"
Ruggedcom Rox Mx5000
Search vendor "Siemens" for product "Ruggedcom Rox Mx5000"
--
Safe
Siemens
Search vendor "Siemens"
Ruggedcom Rox Rx1400 Firmware
Search vendor "Siemens" for product "Ruggedcom Rox Rx1400 Firmware"
< 2.14.0
Search vendor "Siemens" for product "Ruggedcom Rox Rx1400 Firmware" and version " < 2.14.0"
-
Affected
in Siemens
Search vendor "Siemens"
Ruggedcom Rox Rx1400
Search vendor "Siemens" for product "Ruggedcom Rox Rx1400"
--
Safe
Siemens
Search vendor "Siemens"
Ruggedcom Rox Rx1500 Firmware
Search vendor "Siemens" for product "Ruggedcom Rox Rx1500 Firmware"
< 2.14.0
Search vendor "Siemens" for product "Ruggedcom Rox Rx1500 Firmware" and version " < 2.14.0"
-
Affected
in Siemens
Search vendor "Siemens"
Ruggedcom Rox Rx1500
Search vendor "Siemens" for product "Ruggedcom Rox Rx1500"
--
Safe
Siemens
Search vendor "Siemens"
Ruggedcom Rox Rx1501 Firmware
Search vendor "Siemens" for product "Ruggedcom Rox Rx1501 Firmware"
< 2.14.0
Search vendor "Siemens" for product "Ruggedcom Rox Rx1501 Firmware" and version " < 2.14.0"
-
Affected
in Siemens
Search vendor "Siemens"
Ruggedcom Rox Rx1501
Search vendor "Siemens" for product "Ruggedcom Rox Rx1501"
--
Safe
Siemens
Search vendor "Siemens"
Ruggedcom Rox Rx1510 Firmware
Search vendor "Siemens" for product "Ruggedcom Rox Rx1510 Firmware"
< 2.14.0
Search vendor "Siemens" for product "Ruggedcom Rox Rx1510 Firmware" and version " < 2.14.0"
-
Affected
in Siemens
Search vendor "Siemens"
Ruggedcom Rox Rx1510
Search vendor "Siemens" for product "Ruggedcom Rox Rx1510"
--
Safe
Siemens
Search vendor "Siemens"
Ruggedcom Rox Rx1511 Firmware
Search vendor "Siemens" for product "Ruggedcom Rox Rx1511 Firmware"
< 2.14.0
Search vendor "Siemens" for product "Ruggedcom Rox Rx1511 Firmware" and version " < 2.14.0"
-
Affected
in Siemens
Search vendor "Siemens"
Ruggedcom Rox Rx1511
Search vendor "Siemens" for product "Ruggedcom Rox Rx1511"
--
Safe
Siemens
Search vendor "Siemens"
Ruggedcom Rox Rx1512 Firmware
Search vendor "Siemens" for product "Ruggedcom Rox Rx1512 Firmware"
< 2.14.0
Search vendor "Siemens" for product "Ruggedcom Rox Rx1512 Firmware" and version " < 2.14.0"
-
Affected
in Siemens
Search vendor "Siemens"
Ruggedcom Rox Rx1512
Search vendor "Siemens" for product "Ruggedcom Rox Rx1512"
--
Safe
Siemens
Search vendor "Siemens"
Ruggedcom Rox Rx5000 Firmware
Search vendor "Siemens" for product "Ruggedcom Rox Rx5000 Firmware"
< 2.14.0
Search vendor "Siemens" for product "Ruggedcom Rox Rx5000 Firmware" and version " < 2.14.0"
-
Affected
in Siemens
Search vendor "Siemens"
Ruggedcom Rox Rx5000
Search vendor "Siemens" for product "Ruggedcom Rox Rx5000"
--
Safe
Mozilla
Search vendor "Mozilla"
Network Security Services
Search vendor "Mozilla" for product "Network Security Services"
< 3.46
Search vendor "Mozilla" for product "Network Security Services" and version " < 3.46"
-
Affected
Netapp
Search vendor "Netapp"
Hci Management Node
Search vendor "Netapp" for product "Hci Management Node"
--
Affected
Netapp
Search vendor "Netapp"
Solidfire
Search vendor "Netapp" for product "Solidfire"
--
Affected
Netapp
Search vendor "Netapp"
Hci Compute Node
Search vendor "Netapp" for product "Hci Compute Node"
--
Affected
Netapp
Search vendor "Netapp"
Hci Storage Node
Search vendor "Netapp" for product "Hci Storage Node"
--
Affected