Details of VAR-202001-1433

ID

VAR-202001-1433

CVE

CVE-2019-11745

TITLE

Firefox and Thunderbird Vulnerable to out-of-bounds writing

Trust: 0.8

sources: JVNDB: JVNDB-2019-013984

DESCRIPTION

When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. Firefox and Thunderbird Contains an out-of-bounds write vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Background ========== The Mozilla Network Security Service (NSS) is a library implementing security features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME and X.509 certificates. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: nss-softokn security update Advisory ID: RHSA-2019:4152-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:4152 Issue date: 2019-12-10 CVE Names: CVE-2019-11745 ==================================================================== 1. Summary: An update for nss-softokn is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: nss-softokn-3.44.0-6.el6_10.src.rpm i386: nss-softokn-3.44.0-6.el6_10.i686.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.i686.rpm nss-softokn-freebl-3.44.0-6.el6_10.i686.rpm x86_64: nss-softokn-3.44.0-6.el6_10.i686.rpm nss-softokn-3.44.0-6.el6_10.x86_64.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.i686.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.x86_64.rpm nss-softokn-freebl-3.44.0-6.el6_10.i686.rpm nss-softokn-freebl-3.44.0-6.el6_10.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: nss-softokn-debuginfo-3.44.0-6.el6_10.i686.rpm nss-softokn-devel-3.44.0-6.el6_10.i686.rpm nss-softokn-freebl-devel-3.44.0-6.el6_10.i686.rpm x86_64: nss-softokn-debuginfo-3.44.0-6.el6_10.i686.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.x86_64.rpm nss-softokn-devel-3.44.0-6.el6_10.i686.rpm nss-softokn-devel-3.44.0-6.el6_10.x86_64.rpm nss-softokn-freebl-devel-3.44.0-6.el6_10.i686.rpm nss-softokn-freebl-devel-3.44.0-6.el6_10.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: nss-softokn-3.44.0-6.el6_10.src.rpm x86_64: nss-softokn-3.44.0-6.el6_10.i686.rpm nss-softokn-3.44.0-6.el6_10.x86_64.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.i686.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.x86_64.rpm nss-softokn-freebl-3.44.0-6.el6_10.i686.rpm nss-softokn-freebl-3.44.0-6.el6_10.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: nss-softokn-debuginfo-3.44.0-6.el6_10.i686.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.x86_64.rpm nss-softokn-devel-3.44.0-6.el6_10.i686.rpm nss-softokn-devel-3.44.0-6.el6_10.x86_64.rpm nss-softokn-freebl-devel-3.44.0-6.el6_10.i686.rpm nss-softokn-freebl-devel-3.44.0-6.el6_10.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: nss-softokn-3.44.0-6.el6_10.src.rpm i386: nss-softokn-3.44.0-6.el6_10.i686.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.i686.rpm nss-softokn-devel-3.44.0-6.el6_10.i686.rpm nss-softokn-freebl-3.44.0-6.el6_10.i686.rpm nss-softokn-freebl-devel-3.44.0-6.el6_10.i686.rpm ppc64: nss-softokn-3.44.0-6.el6_10.ppc.rpm nss-softokn-3.44.0-6.el6_10.ppc64.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.ppc.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.ppc64.rpm nss-softokn-devel-3.44.0-6.el6_10.ppc.rpm nss-softokn-devel-3.44.0-6.el6_10.ppc64.rpm nss-softokn-freebl-3.44.0-6.el6_10.ppc.rpm nss-softokn-freebl-3.44.0-6.el6_10.ppc64.rpm nss-softokn-freebl-devel-3.44.0-6.el6_10.ppc.rpm nss-softokn-freebl-devel-3.44.0-6.el6_10.ppc64.rpm s390x: nss-softokn-3.44.0-6.el6_10.s390.rpm nss-softokn-3.44.0-6.el6_10.s390x.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.s390.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.s390x.rpm nss-softokn-devel-3.44.0-6.el6_10.s390.rpm nss-softokn-devel-3.44.0-6.el6_10.s390x.rpm nss-softokn-freebl-3.44.0-6.el6_10.s390.rpm nss-softokn-freebl-3.44.0-6.el6_10.s390x.rpm nss-softokn-freebl-devel-3.44.0-6.el6_10.s390.rpm nss-softokn-freebl-devel-3.44.0-6.el6_10.s390x.rpm x86_64: nss-softokn-3.44.0-6.el6_10.i686.rpm nss-softokn-3.44.0-6.el6_10.x86_64.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.i686.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.x86_64.rpm nss-softokn-devel-3.44.0-6.el6_10.i686.rpm nss-softokn-devel-3.44.0-6.el6_10.x86_64.rpm nss-softokn-freebl-3.44.0-6.el6_10.i686.rpm nss-softokn-freebl-3.44.0-6.el6_10.x86_64.rpm nss-softokn-freebl-devel-3.44.0-6.el6_10.i686.rpm nss-softokn-freebl-devel-3.44.0-6.el6_10.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: nss-softokn-3.44.0-6.el6_10.src.rpm i386: nss-softokn-3.44.0-6.el6_10.i686.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.i686.rpm nss-softokn-devel-3.44.0-6.el6_10.i686.rpm nss-softokn-freebl-3.44.0-6.el6_10.i686.rpm nss-softokn-freebl-devel-3.44.0-6.el6_10.i686.rpm x86_64: nss-softokn-3.44.0-6.el6_10.i686.rpm nss-softokn-3.44.0-6.el6_10.x86_64.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.i686.rpm nss-softokn-debuginfo-3.44.0-6.el6_10.x86_64.rpm nss-softokn-devel-3.44.0-6.el6_10.i686.rpm nss-softokn-devel-3.44.0-6.el6_10.x86_64.rpm nss-softokn-freebl-3.44.0-6.el6_10.i686.rpm nss-softokn-freebl-3.44.0-6.el6_10.x86_64.rpm nss-softokn-freebl-devel-3.44.0-6.el6_10.i686.rpm nss-softokn-freebl-devel-3.44.0-6.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11745 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXe+MiNzjgjWX9erEAQiepQ/7BesVlTbWtK/e4tqUqQ2WADoCPilxvBo5 lQ/zdsIXw069qAzU/GutaUM3DN7qvxSDCtxOTeQy605jkHYnV1HPjIXxYkug6ETV atrTxcph7BwV5w3sS4D+/N7FvYaGfluSQL65lihS3VNvtiA3excFw3hyaPeI/miM N7+ZHE+kD3vFL2DL6gOMTa/FGfa2w55ka0ODEpL9xCm+vBwVEyNAYVZqzfDQdWwz 5gWlJd7NEJq1qqrNlMuwOrn3YYd2R9VPcrYEvoNRW/Dcf5BNstDmadIPAVcsG1rT Me5PeII3MRIHLEkgYGFNmrxcctWSdC1VIuMsSUdC1lKnqZSpHMq4JjaNfjh3TAtg 2Avl2Jyhm1N56h6OsQo/UX2A7vRdGfgmVlv5jkFBYvjdilLmFQRCzouyJMAXmbZu pUAqowHA9cN3RUYU7so7cU/4AKI3nlsHpH1o1ExICEUclsKn2rnxJquGMxhsVxEv rnv9JKH4IuGKBxt0KTUZRLYsSdHdbrAhlHvanLCi9px7KvqTNIMpblijHLe/1OqD 9mVJjZpCAIJ3et+qPKzfdnjd76UqWbndQlgAwlVN07XODHBLSZkh0iY1nT1Az/WN +wo3O48nWAzPvg2H5jy/+zq7mLI16W0t2mG8rUXHR2Don93Efomtbs7sFDxiiMOP Iowc4iq7Yac=lxBi -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================== Ubuntu Security Notice USN-4335-1 April 21, 2020 thunderbird vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, bypass same-origin restrictions, conduct cross-site scripting (XSS) attacks, or execute arbitrary code. (CVE-2019-11757, CVE-2019-11758, CVE-2019-11759, CVE-2019-11760, CVE-2019-11761, CVE-2019-11762, CVE-2019-11763, CVE-2019-11764, CVE-2019-17005, CVE-2019-17008, CVE-2019-17010, CVE-2019-17011, CVE-2019-17012, CVE-2019-17016, CVE-2019-17017, CVE-2019-17022, CVE-2019-17024, CVE-2019-17026, CVE-2019-20503, CVE-2020-6798, CVE-2020-6800, CVE-2020-6805, CVE-2020-6806, CVE-2020-6807, CVE-2020-6812, CVE-2020-6814, CVE-2020-6819, CVE-2020-6820, CVE-2020-6821, CVE-2020-6825) It was discovered that NSS incorrectly handled certain memory operations. A remote attacker could potentially exploit this to cause a denial of service, or execute arbitrary code. (CVE-2019-11745) It was discovered that a specially crafted S/MIME message with an inner encryption layer could be displayed as having a valid signature in some circumstances, even if the signer had no access to the encrypted message. An attacker could potentially exploit this to spoof the message author. (CVE-2019-11755) A heap overflow was discovered in the expat library in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit this to cause a denial of service, or execute arbitrary code. (CVE-2019-15903) It was discovered that Message ID calculation was based on uninitialized data. An attacker could potentially exploit this to obtain sensitive information. (CVE-2020-6792) Mutiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbitrary code. (CVE-2020-6793, CVE-2020-6795, CVE-2020-6822) It was discovered that if a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords would still be accessible. A local user could exploit this to obtain sensitive information. (CVE-2020-6794) It was discovered that the Devtools’ ‘Copy as cURL’ feature did not fully escape website-controlled data. If a user were tricked in to using the ‘Copy as cURL’ feature to copy and paste a command with specially crafted data in to a terminal, an attacker could potentially exploit this to execute arbitrary commands via command injection. (CVE-2020-6811) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: thunderbird 1:68.7.0+build1-0ubuntu0.16.04.2 After a standard system update you need to restart Thunderbird to make all the necessary changes. 7) - aarch64, ppc64le, s390x 3. 7.4) - x86_64 3. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202003-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mozilla Firefox: Multiple vulnerabilities Date: March 12, 2020 Bugs: #702638, #705000, #709346, #712182 ID: 202003-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. Background ========== Mozilla Firefox is a popular open-source web browser from the Mozilla Project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/firefox < 68.6.0 >= 68.6.0 2 www-client/firefox-bin < 68.6.0 >= 68.6.0 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Mozilla Firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-68.6.0" All Mozilla Firefox binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-68.6.0" References ========== [ 1 ] CVE-2019-11745 https://nvd.nist.gov/vuln/detail/CVE-2019-11745 [ 2 ] CVE-2019-17005 https://nvd.nist.gov/vuln/detail/CVE-2019-17005 [ 3 ] CVE-2019-17008 https://nvd.nist.gov/vuln/detail/CVE-2019-17008 [ 4 ] CVE-2019-17010 https://nvd.nist.gov/vuln/detail/CVE-2019-17010 [ 5 ] CVE-2019-17011 https://nvd.nist.gov/vuln/detail/CVE-2019-17011 [ 6 ] CVE-2019-17012 https://nvd.nist.gov/vuln/detail/CVE-2019-17012 [ 7 ] CVE-2019-17016 https://nvd.nist.gov/vuln/detail/CVE-2019-17016 [ 8 ] CVE-2019-17017 https://nvd.nist.gov/vuln/detail/CVE-2019-17017 [ 9 ] CVE-2019-17022 https://nvd.nist.gov/vuln/detail/CVE-2019-17022 [ 10 ] CVE-2019-17024 https://nvd.nist.gov/vuln/detail/CVE-2019-17024 [ 11 ] CVE-2019-17026 https://nvd.nist.gov/vuln/detail/CVE-2019-17026 [ 12 ] CVE-2019-20503 https://nvd.nist.gov/vuln/detail/CVE-2019-20503 [ 13 ] CVE-2020-6796 https://nvd.nist.gov/vuln/detail/CVE-2020-6796 [ 14 ] CVE-2020-6797 https://nvd.nist.gov/vuln/detail/CVE-2020-6797 [ 15 ] CVE-2020-6798 https://nvd.nist.gov/vuln/detail/CVE-2020-6798 [ 16 ] CVE-2020-6799 https://nvd.nist.gov/vuln/detail/CVE-2020-6799 [ 17 ] CVE-2020-6800 https://nvd.nist.gov/vuln/detail/CVE-2020-6800 [ 18 ] CVE-2020-6805 https://nvd.nist.gov/vuln/detail/CVE-2020-6805 [ 19 ] CVE-2020-6806 https://nvd.nist.gov/vuln/detail/CVE-2020-6806 [ 20 ] CVE-2020-6807 https://nvd.nist.gov/vuln/detail/CVE-2020-6807 [ 21 ] CVE-2020-6811 https://nvd.nist.gov/vuln/detail/CVE-2020-6811 [ 22 ] CVE-2020-6812 https://nvd.nist.gov/vuln/detail/CVE-2020-6812 [ 23 ] CVE-2020-6814 https://nvd.nist.gov/vuln/detail/CVE-2020-6814 [ 24 ] MFSA-2019-37 https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/ [ 25 ] MFSA-2020-03 https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/ [ 26 ] MFSA-2020-06 https://www.mozilla.org/en-US/security/advisories/mfsa2020-06/ [ 27 ] MFSA-2020-09 https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/ Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202003-02 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] mozilla-firefox (SSA:2019-337-01) New mozilla-firefox packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-68.3.0esr-i686-1_slack14.2.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/firefox/68.3.0/releasenotes/ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html https://www.mozilla.org/security/advisories/mfsa2019-37/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17008 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13722 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17009 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17010 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17005 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17011 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17012 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/mozilla-firefox-68.3.0esr-i686-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/mozilla-firefox-68.3.0esr-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-firefox-68.3.0esr-i686-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/mozilla-firefox-68.3.0esr-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.2 package: 87f700f9d6e2f2714f34bd4df98daff3 mozilla-firefox-68.3.0esr-i686-1_slack14.2.txz Slackware x86_64 14.2 package: a1fc7f2d55d99552fbfef89c0a4fc4d8 mozilla-firefox-68.3.0esr-x86_64-1_slack14.2.txz Slackware -current package: b398fbd95c214bc1f209344809557650 xap/mozilla-firefox-68.3.0esr-i686-1.txz Slackware x86_64 -current package: 54fdcfaa0337054003900c366020e39f xap/mozilla-firefox-68.3.0esr-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg mozilla-firefox-68.3.0esr-i686-1_slack14.2.txz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address

Trust: 2.52

sources: NVD: CVE-2019-11745 // JVNDB: JVNDB-2019-013984 // VULMON: CVE-2019-11745 // PACKETSTORM: 156770 // PACKETSTORM: 155609 // PACKETSTORM: 157345 // PACKETSTORM: 157226 // PACKETSTORM: 157142 // PACKETSTORM: 155589 // PACKETSTORM: 156704 // PACKETSTORM: 155546 // PACKETSTORM: 155603

AFFECTED PRODUCTS

vendor:	mozilla	model:	firefox esr	scope:	lt	version:	68.3	Trust: 1.8
vendor:	opensuse	model:	leap	scope:	eq	version:	15.1	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	18.04	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	19.10	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox rx1400	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox rx1512	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	16.04	Trust: 1.0
vendor:	mozilla	model:	thunderbird	scope:	lt	version:	68.3.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox rx1510	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox rx5000	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	mozilla	model:	firefox	scope:	lt	version:	71.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox rx1500	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox rx1501	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox rx1511	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	siemens	model:	ruggedcom rox mx5000	scope:	lt	version:	2.14.0	Trust: 1.0
vendor:	redhat	model:	enterprise linux server aus	scope:	eq	version:	6.6	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	mozilla	model:	firefox	scope:	lt	version:	71	Trust: 0.8
vendor:	mozilla	model:	thunderbird	scope:	lt	version:	68.3	Trust: 0.8
vendor:	opensuse	model:	leap	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-013984 // NVD: CVE-2019-11745

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-11745
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-11745
value:	HIGH
Trust: 0.8
VULMON:	CVE-2019-11745
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-11745
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2019-11745
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-11745
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2019-11745 // JVNDB: JVNDB-2019-013984 // NVD: CVE-2019-11745

PROBLEMTYPE DATA

problemtype:

CWE-787

Trust: 1.8

sources: JVNDB: JVNDB-2019-013984 // NVD: CVE-2019-11745

TYPE

arbitrary

Trust: 0.2

sources: PACKETSTORM: 156704 // PACKETSTORM: 155603

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-013984

PATCH

title:	MFSA2019-36	url:	https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/	Trust: 0.8
title:	MFSA2019-37	url:	https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/	Trust: 0.8
title:	MFSA2019-38	url:	https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/	Trust: 0.8
title:	openSUSE-SU-2020:0008-1	url:	https://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html	Trust: 0.8
title:	openSUSE-SU-2020:0003-1	url:	https://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html	Trust: 0.8
title:	openSUSE-SU-2020:0002-1	url:	https://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html	Trust: 0.8
title:	Red Hat: Important: nss security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20200243 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: nss-softokn security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20201461 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: nss security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20194114 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: nss-softokn security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20200466 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: nss-softokn security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20194152 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: nss, nss-softokn, nss-util security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20194190 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: nss-softokn security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20201345 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: nss-softokn security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20201267 - Security Advisory	Trust: 0.1
title:	Ubuntu Security Notice: nss vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4203-2	Trust: 0.1
title:	Ubuntu Security Notice: nss vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4203-1	Trust: 0.1
title:	Debian Security Advisories: DSA-4579-1 nss -- security update	url:	https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=0af759a984821af0886871e7a26a298e	Trust: 0.1
title:	Arch Linux Issues:	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2019-11745 log	Trust: 0.1
title:	Amazon Linux 2: ALAS2-2020-1379	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2020-1379	Trust: 0.1
title:	IBM: Security Bulletin: Vulnerability in nss, nss-softokn, nss-util vulnerability (CVE-2019-11729 and CVE-2019-11745)	url:	https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=74fd642ff4a4659039a762a5a0a24106	Trust: 0.1
title:	Amazon Linux 2: ALAS2-2023-1942	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2023-1942	Trust: 0.1
title:	Amazon Linux 2: ALAS2-2020-1384	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2020-1384	Trust: 0.1
title:	Amazon Linux AMI: ALAS-2020-1355	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2020-1355	Trust: 0.1
title:	Ubuntu Security Notice: firefox vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4216-1	Trust: 0.1
title:	Arch Linux Advisories: [ASA-201912-2] thunderbird: arbitrary code execution	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201912-2	Trust: 0.1
title:	Ubuntu Security Notice: firefox vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4216-2	Trust: 0.1
title:	Ubuntu Security Notice: thunderbird vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4241-1	Trust: 0.1
title:	Mozilla: Security Vulnerabilities fixed in - Firefox ESR 68.3	url:	https://vulmon.com/vendoradvisory?qidtp=mozilla_advisories&qid=940e53f5eecee1395e2713b0ed07506b	Trust: 0.1
title:	Mozilla: Security Vulnerabilities fixed in - Thunderbird 68.3	url:	https://vulmon.com/vendoradvisory?qidtp=mozilla_advisories&qid=dffa374fab03b4f5b5596346629ccc8c	Trust: 0.1
title:	Arch Linux Advisories: [ASA-201912-1] firefox: multiple issues	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201912-1	Trust: 0.1
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=409c1cd1b8ef401020956950fd839000	Trust: 0.1
title:	Mozilla: Security Vulnerabilities fixed in - Firefox 71	url:	https://vulmon.com/vendoradvisory?qidtp=mozilla_advisories&qid=a8e439d387c58595bbdb24cc3bdadd40	Trust: 0.1
title:	Ubuntu Security Notice: thunderbird vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4335-1	Trust: 0.1
title:	-	url:	https://github.com/vincent-deng/veracode-container-security-finding-parser	Trust: 0.1

sources: VULMON: CVE-2019-11745 // JVNDB: JVNDB-2019-013984

EXTERNAL IDS

db:	NVD	id:	CVE-2019-11745	Trust: 2.8
db:	ICS CERT	id:	ICSA-21-040-04	Trust: 1.1
db:	SIEMENS	id:	SSA-379803	Trust: 1.1
db:	JVNDB	id:	JVNDB-2019-013984	Trust: 0.8
db:	VULMON	id:	CVE-2019-11745	Trust: 0.1
db:	PACKETSTORM	id:	156770	Trust: 0.1
db:	PACKETSTORM	id:	155609	Trust: 0.1
db:	PACKETSTORM	id:	157345	Trust: 0.1
db:	PACKETSTORM	id:	157226	Trust: 0.1
db:	PACKETSTORM	id:	157142	Trust: 0.1
db:	PACKETSTORM	id:	155589	Trust: 0.1
db:	PACKETSTORM	id:	156704	Trust: 0.1
db:	PACKETSTORM	id:	155546	Trust: 0.1
db:	PACKETSTORM	id:	155603	Trust: 0.1

sources: VULMON: CVE-2019-11745 // JVNDB: JVNDB-2019-013984 // PACKETSTORM: 156770 // PACKETSTORM: 155609 // PACKETSTORM: 157345 // PACKETSTORM: 157226 // PACKETSTORM: 157142 // PACKETSTORM: 155589 // PACKETSTORM: 156704 // PACKETSTORM: 155546 // PACKETSTORM: 155603 // NVD: CVE-2019-11745

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-11745	Trust: 1.7
url:	https://www.mozilla.org/security/advisories/mfsa2019-37/	Trust: 1.2
url:	https://access.redhat.com/errata/rhsa-2020:0243	Trust: 1.2
url:	https://security.gentoo.org/glsa/202003-02	Trust: 1.2
url:	https://security.gentoo.org/glsa/202003-37	Trust: 1.2
url:	https://www.mozilla.org/security/advisories/mfsa2019-38/	Trust: 1.1
url:	https://www.mozilla.org/security/advisories/mfsa2019-36/	Trust: 1.1
url:	https://bugzilla.mozilla.org/show_bug.cgi?id=1586176	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html	Trust: 1.1
url:	https://usn.ubuntu.com/4241-1/	Trust: 1.1
url:	https://access.redhat.com/errata/rhsa-2020:0466	Trust: 1.1
url:	https://security.gentoo.org/glsa/202003-10	Trust: 1.1
url:	https://usn.ubuntu.com/4335-1/	Trust: 1.1
url:	https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html	Trust: 1.1
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf	Trust: 1.1
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04	Trust: 1.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11745	Trust: 0.9
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.4
url:	https://bugzilla.redhat.com/):	Trust: 0.4
url:	https://access.redhat.com/security/team/key/	Trust: 0.4
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.4
url:	https://access.redhat.com/articles/11258	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-11745	Trust: 0.4
url:	https://access.redhat.com/security/team/contact/	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17008	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17011	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17005	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17012	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17010	Trust: 0.3
url:	https://bugs.gentoo.org.	Trust: 0.2
url:	https://creativecommons.org/licenses/by-sa/2.5	Trust: 0.2
url:	https://security.gentoo.org/	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6814	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6798	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17026	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17022	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6805	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6800	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17016	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17024	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6811	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6812	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2018-0495	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2018-0495	Trust: 0.2
url:	https://cwe.mitre.org/data/definitions/787.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://usn.ubuntu.com/4203-2/	Trust: 0.1
url:	https://usn.ubuntu.com/4203-1/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-11696	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-11695	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-18508	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-11697	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-11698	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2019:4152	Trust: 0.1
url:	https://usn.ubuntu.com/4335-1	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6821	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11761	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6825	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11764	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6822	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/thunderbird/1:68.7.0+build1-0ubuntu0.16.04.2	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6794	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11755	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11759	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6792	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15903	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11760	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11763	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:1461	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:1345	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2019:4114	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6799	Trust: 0.1
url:	https://www.mozilla.org/en-us/security/advisories/mfsa2020-09/	Trust: 0.1
url:	https://www.mozilla.org/en-us/security/advisories/mfsa2020-03/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6797	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17017	Trust: 0.1
url:	https://www.mozilla.org/en-us/security/advisories/mfsa2020-06/	Trust: 0.1
url:	https://www.mozilla.org/en-us/security/advisories/mfsa2019-37/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6806	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20503	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6796	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6807	Trust: 0.1
url:	http://slackware.com	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-17010	Trust: 0.1
url:	https://www.mozilla.org/security/known-vulnerabilities/firefoxesr.html	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13722	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-17008	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-17011	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-17005	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-17009	Trust: 0.1
url:	http://slackware.com/gpg-key	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-13722	Trust: 0.1
url:	http://osuosl.org)	Trust: 0.1
url:	https://www.mozilla.org/en-us/firefox/68.3.0/releasenotes/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17009	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-17012	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/firefox/71.0+build5-0ubuntu0.18.04.1	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17014	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/firefox/71.0+build5-0ubuntu0.19.10.1	Trust: 0.1
url:	https://usn.ubuntu.com/4216-1	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/firefox/71.0+build5-0ubuntu0.19.04.1	Trust: 0.1

CREDITS

Red Hat

Trust: 0.4

sources: PACKETSTORM: 155609 // PACKETSTORM: 157226 // PACKETSTORM: 157142 // PACKETSTORM: 155589

SOURCES

db:	VULMON	id:	CVE-2019-11745
db:	JVNDB	id:	JVNDB-2019-013984
db:	PACKETSTORM	id:	156770
db:	PACKETSTORM	id:	155609
db:	PACKETSTORM	id:	157345
db:	PACKETSTORM	id:	157226
db:	PACKETSTORM	id:	157142
db:	PACKETSTORM	id:	155589
db:	PACKETSTORM	id:	156704
db:	PACKETSTORM	id:	155546
db:	PACKETSTORM	id:	155603
db:	NVD	id:	CVE-2019-11745

LAST UPDATE DATE

2024-09-18T22:13:06.391000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2019-11745	date:	2021-02-19T00:00:00
db:	JVNDB	id:	JVNDB-2019-013984	date:	2020-01-23T00:00:00
db:	NVD	id:	CVE-2019-11745	date:	2021-02-19T17:22:17.650

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2019-11745	date:	2020-01-08T00:00:00
db:	JVNDB	id:	JVNDB-2019-013984	date:	2020-01-23T00:00:00
db:	PACKETSTORM	id:	156770	date:	2020-03-16T22:35:27
db:	PACKETSTORM	id:	155609	date:	2019-12-10T15:49:04
db:	PACKETSTORM	id:	157345	date:	2020-04-22T15:10:10
db:	PACKETSTORM	id:	157226	date:	2020-04-15T00:12:17
db:	PACKETSTORM	id:	157142	date:	2020-04-07T16:41:47
db:	PACKETSTORM	id:	155589	date:	2019-12-09T15:52:48
db:	PACKETSTORM	id:	156704	date:	2020-03-12T20:16:23
db:	PACKETSTORM	id:	155546	date:	2019-12-04T23:11:46
db:	PACKETSTORM	id:	155603	date:	2019-12-09T23:42:22
db:	NVD	id:	CVE-2019-11745	date:	2020-01-08T20:15:12.313