CVE-2019-11745

Published on: 01/08/2020 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:35 PM UTC

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Certain versions of Ubuntu Linux from Canonical contain the following vulnerability:

When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.

  • CVE-2019-11745 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.
  • Affected Vendor/Software: URL Logo Mozilla - Thunderbird version before 68.3
  • Affected Vendor/Software: URL Logo Mozilla - Firefox ESR version before 68.3
  • Affected Vendor/Software: URL Logo Mozilla - Firefox version before 71

CVSS3 Score: 8.8 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE REQUIRED
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 6.8 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
Mozilla Thunderbird: Multiple vulnerabilities (GLSA 202003-10) — Gentoo security Third Party Advisory
security.gentoo.org
text/html
URL Logo GENTOO GLSA-202003-10
Mozilla Network Security Service: Multiple vulnerabilities (GLSA 202003-37) — Gentoo security Third Party Advisory
security.gentoo.org
text/html
URL Logo GENTOO GLSA-202003-37
Mozilla Firefox: Multiple vulnerabilities (GLSA 202003-02) — Gentoo security Third Party Advisory
security.gentoo.org
text/html
URL Logo GENTOO GLSA-202003-02
Red Hat Customer Portal Third Party Advisory
access.redhat.com
text/html
URL Logo REDHAT RHSA-2020:0243
Security Vulnerabilities fixed in - Firefox 71 — Mozilla Vendor Advisory
www.mozilla.org
text/html
URL Logo CONFIRM www.mozilla.org/security/advisories/mfsa2019-36/
Siemens RUGGEDCOM ROX II | CISA Third Party Advisory
US Government Resource
us-cert.cisa.gov
text/html
URL Logo MISC us-cert.cisa.gov/ics/advisories/icsa-21-040-04
Red Hat Customer Portal Third Party Advisory
access.redhat.com
text/html
URL Logo REDHAT RHSA-2020:0466
Security Vulnerabilities fixed in - Thunderbird 68.3 — Mozilla Vendor Advisory
web.archive.org
text/html
Inactive LinkNot Archived
URL Logo CONFIRM www.mozilla.org/security/advisories/mfsa2019-38/
[security-announce] openSUSE-SU-2020:0003-1: important: Security update Mailing List
Third Party Advisory
lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2020:0003
[security-announce] openSUSE-SU-2020:0002-1: important: Security update Issue Tracking
Mailing List
Third Party Advisory
lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2020:0002
USN-4335-1: Thunderbird vulnerabilities | Ubuntu security notices Third Party Advisory
usn.ubuntu.com
text/html
URL Logo UBUNTU USN-4335-1
Security Vulnerabilities fixed in - Firefox ESR 68.3 — Mozilla Vendor Advisory
www.mozilla.org
text/html
URL Logo CONFIRM www.mozilla.org/security/advisories/mfsa2019-37/
[SECURITY] [DLA 2388-1] nss security update Mailing List
Third Party Advisory
lists.debian.org
text/html
URL Logo MLIST [debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update
1586176 - (CVE-2019-11745) Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate Issue Tracking
Patch
Vendor Advisory
bugzilla.mozilla.org
text/html
URL Logo CONFIRM bugzilla.mozilla.org/show_bug.cgi?id=1586176
Third Party Advisory
cert-portal.siemens.com
application/pdf
URL Logo CONFIRM cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf
[security-announce] openSUSE-SU-2020:0008-1: moderate: Security update f Mailing List
Third Party Advisory
lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2020:0008
USN-4241-1: Thunderbird vulnerabilities | Ubuntu security notices | Ubuntu Third Party Advisory
usn.ubuntu.com
text/html
URL Logo UBUNTU USN-4241-1

Related QID Numbers

  • 256751 CentOS Security Update for nss (CESA-2019:4190)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
Operating
System
CanonicalUbuntu Linux16.04AllAllAll
Operating
System
CanonicalUbuntu Linux18.04AllAllAll
Operating
System
CanonicalUbuntu Linux19.10AllAllAll
Operating
System
CanonicalUbuntu Linux16.04AllAllAll
Operating
System
CanonicalUbuntu Linux18.04AllAllAll
Operating
System
CanonicalUbuntu Linux19.10AllAllAll
Operating
System
DebianDebian Linux9.0AllAllAll
Operating
System
DebianDebian Linux9.0AllAllAll
ApplicationMozillaFirefoxAllAllAllAll
ApplicationMozillaFirefoxAllAllAllAll
ApplicationMozillaFirefox EsrAllAllAllAll
ApplicationMozillaFirefox EsrAllAllAllAll
ApplicationMozillaThunderbirdAllAllAllAll
ApplicationMozillaThunderbirdAllAllAllAll
Operating
System
OpensuseLeap15.1AllAllAll
Operating
System
OpensuseLeap15.1AllAllAll
Operating
System
RedhatEnterprise Linux Server Aus6.6AllAllAll
Operating
System
RedhatEnterprise Linux Server Aus6.6AllAllAll
HardwareSiemensRuggedcom Rox Mx5000-AllAllAll
HardwareSiemensRuggedcom Rox Mx5000-AllAllAll
Operating
System
SiemensRuggedcom Rox Mx5000 FirmwareAllAllAllAll
Operating
System
SiemensRuggedcom Rox Mx5000 FirmwareAllAllAllAll
HardwareSiemensRuggedcom Rox Rx1400-AllAllAll
HardwareSiemensRuggedcom Rox Rx1400-AllAllAll
Operating
System
SiemensRuggedcom Rox Rx1400 FirmwareAllAllAllAll
Operating
System
SiemensRuggedcom Rox Rx1400 FirmwareAllAllAllAll
HardwareSiemensRuggedcom Rox Rx1500-AllAllAll
HardwareSiemensRuggedcom Rox Rx1500-AllAllAll
Operating
System
SiemensRuggedcom Rox Rx1500 FirmwareAllAllAllAll
Operating
System
SiemensRuggedcom Rox Rx1500 FirmwareAllAllAllAll
HardwareSiemensRuggedcom Rox Rx1501-AllAllAll
HardwareSiemensRuggedcom Rox Rx1501-AllAllAll
Operating
System
SiemensRuggedcom Rox Rx1501 FirmwareAllAllAllAll
Operating
System
SiemensRuggedcom Rox Rx1501 FirmwareAllAllAllAll
HardwareSiemensRuggedcom Rox Rx1510-AllAllAll
HardwareSiemensRuggedcom Rox Rx1510-AllAllAll
Operating
System
SiemensRuggedcom Rox Rx1510 FirmwareAllAllAllAll
Operating
System
SiemensRuggedcom Rox Rx1510 FirmwareAllAllAllAll
HardwareSiemensRuggedcom Rox Rx1511-AllAllAll
HardwareSiemensRuggedcom Rox Rx1511-AllAllAll
Operating
System
SiemensRuggedcom Rox Rx1511 FirmwareAllAllAllAll
Operating
System
SiemensRuggedcom Rox Rx1511 FirmwareAllAllAllAll
HardwareSiemensRuggedcom Rox Rx1512-AllAllAll
HardwareSiemensRuggedcom Rox Rx1512-AllAllAll
Operating
System
SiemensRuggedcom Rox Rx1512 FirmwareAllAllAllAll
Operating
System
SiemensRuggedcom Rox Rx1512 FirmwareAllAllAllAll
HardwareSiemensRuggedcom Rox Rx5000-AllAllAll
HardwareSiemensRuggedcom Rox Rx5000-AllAllAll
Operating
System
SiemensRuggedcom Rox Rx5000 FirmwareAllAllAllAll
Operating
System
SiemensRuggedcom Rox Rx5000 FirmwareAllAllAllAll
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*:
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_mx5000:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_mx5000:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_mx5000_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_mx5000_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_rx1400:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_rx1400:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_rx1400_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_rx1400_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_rx1500:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_rx1500:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_rx1500_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_rx1500_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_rx1501:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_rx1501:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_rx1501_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_rx1501_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_rx1510:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_rx1510:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_rx1510_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_rx1510_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_rx1511:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_rx1511:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_rx1511_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_rx1511_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_rx1512:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_rx1512:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_rx1512_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_rx1512_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_rx5000:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:siemens:ruggedcom_rox_rx5000:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_rx5000_firmware:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:siemens:ruggedcom_rox_rx5000_firmware:*:*:*:*:*:*:*:*:
© CVE.report 2021 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report