Information Exposure

Affecting nss package, versions <2:3.42.1-1+deb10u3

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Information Exposure. NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

Remediation

Upgrade nss to version or higher.

References

CVSS Score

4.4
medium severity
  • Attack Vector
    Local
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
CVE
CVE-2020-12399
CWE
CWE-203
Snyk ID
SNYK-DEBIAN10-NSS-569792
Disclosed
09 Jul, 2020
Published
20 May, 2020