Out-of-Bounds Read Vulnerability in NSS Affecting Mozilla Products
CVE-2020-12403

9.1CRITICAL

Key Information:

Vendor: Mozilla
Status: Nss
Vendor: CVE Published:; 27 May 2021

Summary

A vulnerability was identified in the NSS implementation of CHACHA20-POLY1305, specifically when using multi-part Chacha20, leading to potential out-of-bounds reads. This could compromise data confidentiality and system availability. The resolution included disabling the malfunctioning multi-part ChaCha20 feature and enforcing strict tag length checks to mitigate the risks associated with this flaw.

Affected Version(s)

nss nss 3.55

References

https://bugzilla.redhat.com/show_bug.cgi?id=1868931

https://developer.mozilla.org/en-US/docs/Mozilla/Projects...

https://lists.debian.org/debian-lts-announce/2023/02/msg0...

mailing-list

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 27, 2021
Vulnerability Reserved
Apr 28, 2020