CVE-2019-17006
nss: Check length of inputs for cryptographic primitives
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.
En Network Security Services (NSS) versiones anteriores a 3.46, varias primitivas criptográficas presentaban una falta de comprobación de longitud. En los casos en que la aplicación que llama a la biblioteca no llevó a cabo una comprobación de saneo en las entradas, lo que podría resultar en un bloqueo debido a un desbordamiento del búfer
A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-09-30 CVE Reserved
- 2020-01-09 CVE Published
- 2024-04-13 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-122: Heap-based Buffer Overflow
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf | Third Party Advisory |
|
| https://security.netapp.com/advisory/ntap-20210129-0001 | Third Party Advisory |
|
| https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.mozilla.org/show_bug.cgi?id=1539788 | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.46_release_notes | 2021-07-21 | |
| https://access.redhat.com/security/cve/CVE-2019-17006 | 2021-03-30 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1775916 | 2021-03-30 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Siemens Search vendor "Siemens" | Ruggedcom Rox Mx5000 Firmware Search vendor "Siemens" for product "Ruggedcom Rox Mx5000 Firmware" | < 2.14.0 Search vendor "Siemens" for product "Ruggedcom Rox Mx5000 Firmware" and version " < 2.14.0" | - |
Affected
| in | Siemens Search vendor "Siemens" | Ruggedcom Rox Mx5000 Search vendor "Siemens" for product "Ruggedcom Rox Mx5000" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | Ruggedcom Rox Rx1400 Firmware Search vendor "Siemens" for product "Ruggedcom Rox Rx1400 Firmware" | < 2.14.0 Search vendor "Siemens" for product "Ruggedcom Rox Rx1400 Firmware" and version " < 2.14.0" | - |
Affected
| in | Siemens Search vendor "Siemens" | Ruggedcom Rox Rx1400 Search vendor "Siemens" for product "Ruggedcom Rox Rx1400" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | Ruggedcom Rox Rx1500 Firmware Search vendor "Siemens" for product "Ruggedcom Rox Rx1500 Firmware" | < 2.14.0 Search vendor "Siemens" for product "Ruggedcom Rox Rx1500 Firmware" and version " < 2.14.0" | - |
Affected
| in | Siemens Search vendor "Siemens" | Ruggedcom Rox Rx1500 Search vendor "Siemens" for product "Ruggedcom Rox Rx1500" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | Ruggedcom Rox Rx1501 Firmware Search vendor "Siemens" for product "Ruggedcom Rox Rx1501 Firmware" | < 2.14.0 Search vendor "Siemens" for product "Ruggedcom Rox Rx1501 Firmware" and version " < 2.14.0" | - |
Affected
| in | Siemens Search vendor "Siemens" | Ruggedcom Rox Rx1501 Search vendor "Siemens" for product "Ruggedcom Rox Rx1501" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | Ruggedcom Rox Rx1510 Firmware Search vendor "Siemens" for product "Ruggedcom Rox Rx1510 Firmware" | < 2.14.0 Search vendor "Siemens" for product "Ruggedcom Rox Rx1510 Firmware" and version " < 2.14.0" | - |
Affected
| in | Siemens Search vendor "Siemens" | Ruggedcom Rox Rx1510 Search vendor "Siemens" for product "Ruggedcom Rox Rx1510" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | Ruggedcom Rox Rx1511 Firmware Search vendor "Siemens" for product "Ruggedcom Rox Rx1511 Firmware" | < 2.14.0 Search vendor "Siemens" for product "Ruggedcom Rox Rx1511 Firmware" and version " < 2.14.0" | - |
Affected
| in | Siemens Search vendor "Siemens" | Ruggedcom Rox Rx1511 Search vendor "Siemens" for product "Ruggedcom Rox Rx1511" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | Ruggedcom Rox Rx1512 Firmware Search vendor "Siemens" for product "Ruggedcom Rox Rx1512 Firmware" | < 2.14.0 Search vendor "Siemens" for product "Ruggedcom Rox Rx1512 Firmware" and version " < 2.14.0" | - |
Affected
| in | Siemens Search vendor "Siemens" | Ruggedcom Rox Rx1512 Search vendor "Siemens" for product "Ruggedcom Rox Rx1512" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | Ruggedcom Rox Rx5000 Firmware Search vendor "Siemens" for product "Ruggedcom Rox Rx5000 Firmware" | < 2.14.0 Search vendor "Siemens" for product "Ruggedcom Rox Rx5000 Firmware" and version " < 2.14.0" | - |
Affected
| in | Siemens Search vendor "Siemens" | Ruggedcom Rox Rx5000 Search vendor "Siemens" for product "Ruggedcom Rox Rx5000" | - | - |
Safe
|
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | < 3.46 Search vendor "Mozilla" for product "Network Security Services" and version " < 3.46" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Hci Management Node Search vendor "Netapp" for product "Hci Management Node" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Solidfire Search vendor "Netapp" for product "Solidfire" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Hci Compute Node Search vendor "Netapp" for product "Hci Compute Node" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Hci Storage Node Search vendor "Netapp" for product "Hci Storage Node" | - | - |
Affected
| ||||||