Published: 23/07/2019 Updated: 30/09/2020

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 446

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well. (CVE-2019-11745) A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41. (CVE-2018-12404) Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11729 ) Libgcrypt prior to 1.7.10 and 1.8.x prior to 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. (CVE-2018-0495)

Vulnerable Product	Search on Vulmon	Subscribe to Product
mozilla firefox
mozilla thunderbird
mozilla firefox esr

Synopsis Moderate: nss and nspr security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for nss and nspr is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability ...

Synopsis Important: nss, nss-softokn, nss-util security update Type/Severity Security Advisory: Important Topic An update for nss, nss-softokn, and nss-util is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, cross-site scripting, spoofing, information disclosure, denial of service or cross-site request forgery For the oldstable distribution (stretch), these problems have been fixed in version 6080esr-1~deb9u ...

Multiple security issues have been found in Thunderbird which could potentially result in the execution of arbitrary code, cross-site scripting, spoofing, information disclosure, denial of service or cross-site request forgery CVE-2019-11719 and CVE-2019-11729 are only addressed for stretch, in buster Thunderbird uses the system-wide copy of NSS ...

A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss) While the attack complexity is high, the impact to confidentiality, integ ...

Several security issues were fixed in NSS ...

Several security issues were fixed in Thunderbird ...

Firefox could be made to crash or run programs as your login if it opened a malicious website ...

USN-4054-1 caused some minor regressions in Firefox ...

Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used This vulnerability affects Firefox ESR < 608, Firefox < 68, and Thunderbird < 608 (CVE-2019-11729) A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla ...

Empty or malformed p256-ECDH public keys may trigger a segmentation fault in Firefox before 680 due values being improperly sanitized before being copied into memory and used ...

Mozilla Foundation Security Advisory 2019-21 Security vulnerabilities fixed in Firefox 68 Announced July 9, 2019 Impact critical Products Firefox Fixed in Firefox 68 ...

Mozilla Foundation Security Advisory 2019-28 Security vulnerabilities fixed in Thunderbird 68 Announced August 27, 2019 Impact critical Products Thunderbird Fixed in Thunderbird 68 ...

Mozilla Foundation Security Advisory 2019-22 Security vulnerabilities fixed in Firefox ESR 608 Announced July 9, 2019 Impact critical Products Firefox ESR Fixed in Firefox ESR 608 ...

Mozilla Foundation Security Advisory 2019-23 Security vulnerabilities fixed in Thunderbird 608 Announced July 9, 2019 Impact critical Products Thunderbird Fixed in Thunderbird 608 ...

CWE-119 https://www.mozilla.org/security/advisories/mfsa2019-21/https://www.mozilla.org/security/advisories/mfsa2019-22/https://www.mozilla.org/security/advisories/mfsa2019-23/https://bugzilla.mozilla.org/show_bug.cgi?id=1515342 http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html https://access.redhat.com/errata/RHSA-2019:1951 https://security.gentoo.org/glsa/201908-12 https://security.gentoo.org/glsa/201908-20 http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html https://access.redhat.com/errata/RHSA-2019:4190 https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html https://access.redhat.com/errata/RHSA-2019:1951 https://nvd.nist.gov https://usn.ubuntu.com/4060-1/https://www.debian.org/security/2019/dsa-4479 https://alas.aws.amazon.com/ALAS-2020-1355.html

Get Started

CVE-2019-11729

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect