CVE-2020-12403

9.1CRITICAL

Key Information:

Vendor: Mozilla
Status: Nss
Vendor: CVE Published:; 27 May 2021

Summary

A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability.

Affected Version(s)

nss nss 3.55

References

https://bugzilla.redhat.com/show_bug.cgi?id=1868931

https://developer.mozilla.org/en-US/docs/Mozilla/Projects...

https://lists.debian.org/debian-lts-announce/2023/02/msg0...

mailing-list

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 27, 2021
Vulnerability Reserved
Apr 28, 2020