| 0 |
|
| 1 |
| url |
VCID-9wkp-gr2p-kuda |
| vulnerability_id |
VCID-9wkp-gr2p-kuda |
| summary |
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-11719
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9wkp-gr2p-kuda |
|
| 2 |
| url |
VCID-bw2w-68hs-3bcd |
| vulnerability_id |
VCID-bw2w-68hs-3bcd |
| summary |
After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-17023
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bw2w-68hs-3bcd |
|
| 3 |
|
| 4 |
| url |
VCID-m314-1d92-fke4 |
| vulnerability_id |
VCID-m314-1d92-fke4 |
| summary |
When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-6829
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m314-1d92-fke4 |
|
| 5 |
|
| 6 |
| url |
VCID-qpmv-44r5-tqby |
| vulnerability_id |
VCID-qpmv-44r5-tqby |
| summary |
During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-12401
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qpmv-44r5-tqby |
|
| 7 |
| url |
VCID-rc8a-n1r3-v7a1 |
| vulnerability_id |
VCID-rc8a-n1r3-v7a1 |
| summary |
During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. We would like to thank Sohaib ul Hassan for contributing a fix for this issue as well.*Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-12402
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rc8a-n1r3-v7a1 |
|
| 8 |
| url |
VCID-rfpm-yp1s-y3ft |
| vulnerability_id |
VCID-rfpm-yp1s-y3ft |
| summary |
When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-11745
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rfpm-yp1s-y3ft |
|
| 9 |
| url |
VCID-xavu-ygkk-u3fn |
| vulnerability_id |
VCID-xavu-ygkk-u3fn |
| summary |
A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-11727
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xavu-ygkk-u3fn |
|