CVE-2019-17023

After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
Affected Products (NVD)
VendorProductVersion
mozillafirefox
𝑥
< 72.0
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
19.04
canonicalubuntu_linux
19.10
canonicalubuntu_linux
20.04
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
firefox
jessie
not-affected
sid
132.0.1-1
fixed
stretch
not-affected
nss
bookworm
2:3.87.1-1
fixed
bullseye
2:3.61-1+deb11u3
fixed
bullseye (security)
2:3.61-1+deb11u4
fixed
jessie
not-affected
sid
2:3.105-2
fixed
stretch
not-affected
trixie
2:3.105-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
bionic
Fixed 72.0.1+build1-0ubuntu0.18.04.1
released
disco
Fixed 72.0.1+build1-0ubuntu0.19.04.1
released
eoan
Fixed 72.0.1+build1-0ubuntu0.19.10.1
released
focal
Fixed 72.0.1+build1-0ubuntu1
released
trusty
dne
xenial
Fixed 72.0.1+build1-0ubuntu0.16.04.1
released
nss
bionic
Fixed 2:3.35-2ubuntu2.8
released
disco
ignored
eoan
Fixed 2:3.45-1ubuntu2.3
released
focal
not-affected
trusty
not-affected
xenial
not-affected
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
nspr
RHEL 7
0:4.25.0-2.el7_9
fixed
RHEL 8
0:4.25.0-2.el8_2
fixed
RHEL 8.2 AUS
0:4.25.0-2.el8_2
fixed
RHEL 8.2 E4S
0:4.25.0-2.el8_2
fixed
RHEL 8.2 EUS
0:4.25.0-2.el8_2
fixed
RHEL 8.2 TUS
0:4.25.0-2.el8_2
fixed
nspr-devel
RHEL 7
0:4.25.0-2.el7_9
fixed
RHEL 8
0:4.25.0-2.el8_2
fixed
RHEL 8.2 AUS
0:4.25.0-2.el8_2
fixed
RHEL 8.2 E4S
0:4.25.0-2.el8_2
fixed
RHEL 8.2 EUS
0:4.25.0-2.el8_2
fixed
RHEL 8.2 TUS
0:4.25.0-2.el8_2
fixed
nss
RHEL 7
0:3.53.1-3.el7_9
fixed
RHEL 8
0:3.53.1-11.el8_2
fixed
RHEL 8.2 AUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 E4S
0:3.53.1-11.el8_2
fixed
RHEL 8.2 EUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 TUS
0:3.53.1-11.el8_2
fixed
nss-devel
RHEL 7
0:3.53.1-3.el7_9
fixed
RHEL 8
0:3.53.1-11.el8_2
fixed
RHEL 8.2 AUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 E4S
0:3.53.1-11.el8_2
fixed
RHEL 8.2 EUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 TUS
0:3.53.1-11.el8_2
fixed
nss-pkcs11-devel
RHEL 7
0:3.53.1-3.el7_9
fixed
nss-softokn
RHEL 7
0:3.53.1-6.el7_9
fixed
RHEL 8
0:3.53.1-11.el8_2
fixed
RHEL 8.2 AUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 E4S
0:3.53.1-11.el8_2
fixed
RHEL 8.2 EUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 TUS
0:3.53.1-11.el8_2
fixed
nss-softokn-devel
RHEL 7
0:3.53.1-6.el7_9
fixed
RHEL 8
0:3.53.1-11.el8_2
fixed
RHEL 8.2 AUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 E4S
0:3.53.1-11.el8_2
fixed
RHEL 8.2 EUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 TUS
0:3.53.1-11.el8_2
fixed
nss-softokn-freebl
RHEL 7
0:3.53.1-6.el7_9
fixed
RHEL 8
0:3.53.1-11.el8_2
fixed
RHEL 8.2 AUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 E4S
0:3.53.1-11.el8_2
fixed
RHEL 8.2 EUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 TUS
0:3.53.1-11.el8_2
fixed
nss-softokn-freebl-devel
RHEL 7
0:3.53.1-6.el7_9
fixed
RHEL 8
0:3.53.1-11.el8_2
fixed
RHEL 8.2 AUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 E4S
0:3.53.1-11.el8_2
fixed
RHEL 8.2 EUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 TUS
0:3.53.1-11.el8_2
fixed
nss-sysinit
RHEL 7
0:3.53.1-3.el7_9
fixed
RHEL 8
0:3.53.1-11.el8_2
fixed
RHEL 8.2 AUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 E4S
0:3.53.1-11.el8_2
fixed
RHEL 8.2 EUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 TUS
0:3.53.1-11.el8_2
fixed
nss-tools
RHEL 7
0:3.53.1-3.el7_9
fixed
RHEL 8
0:3.53.1-11.el8_2
fixed
RHEL 8.2 AUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 E4S
0:3.53.1-11.el8_2
fixed
RHEL 8.2 EUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 TUS
0:3.53.1-11.el8_2
fixed
nss-util
RHEL 7
0:3.53.1-1.el7_9
fixed
RHEL 8
0:3.53.1-11.el8_2
fixed
RHEL 8.2 AUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 E4S
0:3.53.1-11.el8_2
fixed
RHEL 8.2 EUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 TUS
0:3.53.1-11.el8_2
fixed
nss-util-devel
RHEL 7
0:3.53.1-1.el7_9
fixed
RHEL 8
0:3.53.1-11.el8_2
fixed
RHEL 8.2 AUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 E4S
0:3.53.1-11.el8_2
fixed
RHEL 8.2 EUS
0:3.53.1-11.el8_2
fixed
RHEL 8.2 TUS
0:3.53.1-11.el8_2
fixed
Common Weakness Enumeration
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1590001
https://usn.ubuntu.com/4234-1/
https://usn.ubuntu.com/4397-1/
https://www.debian.org/security/2020/dsa-4726
https://www.mozilla.org/security/advisories/mfsa2020-01/
https://bugzilla.mozilla.org/show_bug.cgi?id=1590001
https://usn.ubuntu.com/4234-1/
https://usn.ubuntu.com/4397-1/
https://www.debian.org/security/2020/dsa-4726
https://www.mozilla.org/security/advisories/mfsa2020-01/