Improper Certificate Validation in nss

Do your applications use this vulnerable package? Test your applications

Overview

A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.

References

Debian Security Tracker
GENTOO
Mozilla Security Advisory
RHSA Security Advisory
RedHat Bugzilla Bug
SUSE
SUSE
SUSE
SUSE
SUSE
Ubuntu CVE Tracker

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

None
Integrity

Low
Availability

None

CVE: CVE-2019-11727
CWE: CWE-295
Snyk ID: SNYK-DEBIAN9-NSS-452771
Disclosed: 23 Jul, 2019
Published: 24 Jul, 2019

Improper Certificate Validation
Affecting nss package, versions *

Overview

References

CVSS Score

Improper Certificate Validation Affecting nss package, versions *

Overview

References

Improper Certificate Validation
Affecting nss package, versions *