ALAS-2020-1355 --- nss, nsprID: oval:org.secpod.oval:def:1601120 | Date: (C)2020-03-20 (M)2024-05-22 |
Class: PATCH | Family: unix |
A heap-based buffer overflow was found in the NSC_EncryptUpdate function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application . While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well. A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack and affects all NSS versions prior to NSS 3.41. Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR CVE-2019-11729 (CVE-2018-0495
Platform: |
Amazon Linux AMI |