CVE-2020-25648

EUVD-2020-18313
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
Affected Products (NVD)
VendorProductVersion
mozillanetwork_security_services
𝑥
< 3.58
redhatenterprise_linux
7.0
redhatenterprise_linux
8.0
oraclecommunications_offline_mediation_controller
12.0.0.3.0
oraclecommunications_pricing_design_center
12.0.0.3.0
oraclejd_edwards_enterpriseone_tools
𝑥
< 9.2.6.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nss
bookworm
2:3.87.1-1
fixed
bullseye
2:3.61-1+deb11u3
fixed
bullseye (security)
2:3.61-1+deb11u4
fixed
sid
2:3.105-2
fixed
stretch
no-dsa
trixie
2:3.105-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nss
bionic
Fixed 2:3.35-2ubuntu2.14
released
focal
Fixed 2:3.49.1-1ubuntu1.7
released
groovy
ignored
hirsute
not-affected
impish
not-affected
jammy
not-affected
kinetic
not-affected
trusty
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=1887319
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
https://lists.debian.org/debian-lts-announce/2023/10/msg00039.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERA5SVJQXQMDGES7RIT4F4NQVLD35RXN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRM53IQCPZT2US3M7JXTP6I6IBA5RGOD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RPOLN6DJUYQ3QBQEGLZGV73SNIPK7GHV/
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://bugzilla.redhat.com/show_bug.cgi?id=1887319
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
https://lists.debian.org/debian-lts-announce/2023/10/msg00039.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERA5SVJQXQMDGES7RIT4F4NQVLD35RXN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRM53IQCPZT2US3M7JXTP6I6IBA5RGOD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RPOLN6DJUYQ3QBQEGLZGV73SNIPK7GHV/
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html