Remote Code Execution Vulnerability in NSS Library by Mozilla
CVE-2020-25648

7.5HIGH

Key Information:

Vendor: Mozilla
Status: Nss
Vendor: CVE Published:; 20 October 2020

Summary

A flaw exists in the Network Security Services library's handling of ChangeCipherSpec messages within TLS 1.3, enabling remote attackers to flood servers with multiple CCS messages. This can lead to a denial of service, as the targeted servers may become unresponsive. The issue affects all NSS versions prior to 3.58, highlighting the importance of upgrading to mitigate potential availability threats.

Affected Version(s)

nss nss versions before 3.58

References

https://bugzilla.redhat.com/show_bug.cgi?id=1887319

https://developer.mozilla.org/en-US/docs/Mozilla/Projects...

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 20, 2020
Vulnerability Reserved
Sep 16, 2020