CVE-2019-11745

When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mozillaCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
VendorProductVersion
mozillafirefox
𝑥
< 71.0
mozillafirefox_esr
𝑥
< 68.3
mozillathunderbird
𝑥
< 68.3.0
opensuseleap
15.1
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
19.10
debiandebian_linux
9.0
redhatenterprise_linux_server_aus
6.6
siemensruggedcom_rox_mx5000_firmware
𝑥
< 2.14.0
siemensruggedcom_rox_rx1400_firmware
𝑥
< 2.14.0
siemensruggedcom_rox_rx1500_firmware
𝑥
< 2.14.0
siemensruggedcom_rox_rx1501_firmware
𝑥
< 2.14.0
siemensruggedcom_rox_rx1510_firmware
𝑥
< 2.14.0
siemensruggedcom_rox_rx1511_firmware
𝑥
< 2.14.0
siemensruggedcom_rox_rx1512_firmware
𝑥
< 2.14.0
siemensruggedcom_rox_rx5000_firmware
𝑥
< 2.14.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nss
bullseye
2:3.61-1+deb11u3
fixed
bullseye (security)
2:3.61-1+deb11u4
fixed
bookworm
2:3.87.1-1
fixed
sid
2:3.105-2
fixed
trixie
2:3.105-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
eoan
Fixed 71.0+build5-0ubuntu0.19.10.1
released
disco
Fixed 71.0+build5-0ubuntu0.19.04.1
released
bionic
Fixed 71.0+build5-0ubuntu0.18.04.1
released
xenial
Fixed 71.0+build5-0ubuntu0.16.04.1
released
trusty
dne
nss
eoan
Fixed 2:3.45-1ubuntu2.1
released
disco
Fixed 2:3.42-1ubuntu2.3
released
bionic
Fixed 2:3.35-2ubuntu2.5
released
xenial
Fixed 2:3.28.4-0ubuntu0.16.04.8
released
trusty
Fixed 2:3.28.4-0ubuntu0.14.04.5+esm2
released
thunderbird
eoan
Fixed 1:68.4.1+build1-0ubuntu0.19.10.1
released
disco
ignored
bionic
Fixed 1:68.4.1+build1-0ubuntu0.18.04.1
released
xenial
Fixed 1:68.7.0+build1-0ubuntu0.16.04.2
released
trusty
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html
https://access.redhat.com/errata/RHSA-2020:0243
https://access.redhat.com/errata/RHSA-2020:0466
https://bugzilla.mozilla.org/show_bug.cgi?id=1586176
https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf
https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html
https://security.gentoo.org/glsa/202003-02
https://security.gentoo.org/glsa/202003-10
https://security.gentoo.org/glsa/202003-37
https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04
https://usn.ubuntu.com/4241-1/
https://usn.ubuntu.com/4335-1/
https://www.mozilla.org/security/advisories/mfsa2019-36/
https://www.mozilla.org/security/advisories/mfsa2019-37/
https://www.mozilla.org/security/advisories/mfsa2019-38/
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html
https://access.redhat.com/errata/RHSA-2020:0243
https://access.redhat.com/errata/RHSA-2020:0466
https://bugzilla.mozilla.org/show_bug.cgi?id=1586176
https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf
https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html
https://security.gentoo.org/glsa/202003-02
https://security.gentoo.org/glsa/202003-10
https://security.gentoo.org/glsa/202003-37
https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04
https://usn.ubuntu.com/4241-1/
https://usn.ubuntu.com/4335-1/
https://www.mozilla.org/security/advisories/mfsa2019-36/
https://www.mozilla.org/security/advisories/mfsa2019-37/
https://www.mozilla.org/security/advisories/mfsa2019-38/