CVE-2019-17006
Vulnerability Summary
Timeline
Description
In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.
CVSS Metrics
- v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- v2.0•HIGH•Score: 10AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS Trends
Current EPSS score: 3.04%• Percentile: 87%
Techniques & Countermeasures
- CWE-20•Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- CWE-119•Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Affected Systems
- mozilla•network_security_services
< 3.46
- mozilla•nss
≥ unspecified, < 3.46
- netapp•hci_compute_node_firmware
na
- netapp•hci_management_node
na
- netapp•hci_storage_node
na
- netapp•solidfire
na
- siemens•ruggedcom rox mx5000
< 2.14.0
- siemens•ruggedcom rox rx1400
< 2.14.0
- siemens•ruggedcom rox rx1500
< 2.14.0
- siemens•ruggedcom rox rx1501
< 2.14.0
- siemens•ruggedcom rox rx1510
< 2.14.0
- siemens•ruggedcom rox rx1511
< 2.14.0
- siemens•ruggedcom rox rx1512
< 2.14.0
- siemens•ruggedcom rox rx5000
< 2.14.0
References (5)
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.46_release_notes
- https://bugzilla.mozilla.org/show_bug.cgi?id=1539788
- https://security.netapp.com/advisory/ntap-20210129-0001/
- https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf
- https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04