CVE-2019-17023

After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
mozillaCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
VendorProductVersion
mozillafirefox
𝑥
< 72.0
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
19.04
canonicalubuntu_linux
19.10
canonicalubuntu_linux
20.04
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
firefox
sid
132.0.1-1
fixed
stretch
not-affected
jessie
not-affected
nss
bullseye
2:3.61-1+deb11u3
fixed
stretch
not-affected
jessie
not-affected
bullseye (security)
2:3.61-1+deb11u4
fixed
bookworm
2:3.87.1-1
fixed
sid
2:3.105-2
fixed
trixie
2:3.105-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
focal
Fixed 72.0.1+build1-0ubuntu1
released
eoan
Fixed 72.0.1+build1-0ubuntu0.19.10.1
released
disco
Fixed 72.0.1+build1-0ubuntu0.19.04.1
released
bionic
Fixed 72.0.1+build1-0ubuntu0.18.04.1
released
xenial
Fixed 72.0.1+build1-0ubuntu0.16.04.1
released
trusty
dne
nss
focal
not-affected
eoan
Fixed 2:3.45-1ubuntu2.3
released
disco
ignored
bionic
Fixed 2:3.35-2ubuntu2.8
released
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1590001
https://usn.ubuntu.com/4234-1/
https://usn.ubuntu.com/4397-1/
https://www.debian.org/security/2020/dsa-4726
https://www.mozilla.org/security/advisories/mfsa2020-01/
https://bugzilla.mozilla.org/show_bug.cgi?id=1590001
https://usn.ubuntu.com/4234-1/
https://usn.ubuntu.com/4397-1/
https://www.debian.org/security/2020/dsa-4726
https://www.mozilla.org/security/advisories/mfsa2020-01/