Information Exposure

Affecting nss package, versions <2:3.26.2-1.1+deb9u2

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Information Exposure. When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.

Remediation

Upgrade nss to version or higher.

References

CVSS Score

4.7
medium severity
  • Attack Vector
    Local
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE
CVE-2020-12400
CWE
CWE-200
Snyk ID
SNYK-DEBIAN9-NSS-597152
Disclosed
08 Oct, 2020
Published
01 Aug, 2020