CVE-2019-11719

Description

When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

CVSS Metrics

• v3.0•HIGH•Score: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.44%• Percentile: 63%

Techniques & Countermeasures

• CWE-125•Out-of-bounds Read

  The product reads data past the end, or before the beginning, of the intended buffer.

Affected Systems

• mozilla•firefox

  < 60.8.0 | < 68.0 | ≥ unspecified, < 68

• mozilla•firefox_esr

  ≥ unspecified, < 60.8

• mozilla•thunderbird

  < 60.8.0 | ≥ unspecified, < 60.8

References (13)

• https://www.mozilla.org/security/advisories/mfsa2019-21/
• https://www.mozilla.org/security/advisories/mfsa2019-22/
• https://www.mozilla.org/security/advisories/mfsa2019-23/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1540541
• http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html
• http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html
• https://access.redhat.com/errata/RHSA-2019:1951
• https://security.gentoo.org/glsa/201908-12
• https://security.gentoo.org/glsa/201908-20
• http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html
• http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html
• http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html
• https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html