{
  "threat_severity" : "Moderate",
  "public_date" : "2019-12-26T00:00:00Z",
  "bugzilla" : {
    "description" : "nss: Check length of inputs for cryptographic primitives",
    "id" : "1775916",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1775916"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-122",
  "details" : [ "In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.", "A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability." ],
  "acknowledgement" : "Red Hat would like to thank the Mozilla Project for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-09-29T00:00:00Z",
    "advisory" : "RHSA-2020:4076",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "nspr-0:4.25.0-2.el7_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-09-29T00:00:00Z",
    "advisory" : "RHSA-2020:4076",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "nss-0:3.53.1-3.el7_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-09-29T00:00:00Z",
    "advisory" : "RHSA-2020:4076",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "nss-softokn-0:3.53.1-6.el7_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-09-29T00:00:00Z",
    "advisory" : "RHSA-2020:4076",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "nss-util-0:3.53.1-1.el7_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.4 Advanced Update Support",
    "release_date" : "2021-03-09T00:00:00Z",
    "advisory" : "RHSA-2021:0758",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.4",
    "package" : "nss-softokn-0:3.28.3-10.el7_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.4 Telco Extended Update Support",
    "release_date" : "2021-03-09T00:00:00Z",
    "advisory" : "RHSA-2021:0758",
    "cpe" : "cpe:/o:redhat:rhel_tus:7.4",
    "package" : "nss-softokn-0:3.28.3-10.el7_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions",
    "release_date" : "2021-03-09T00:00:00Z",
    "advisory" : "RHSA-2021:0758",
    "cpe" : "cpe:/o:redhat:rhel_e4s:7.4",
    "package" : "nss-softokn-0:3.28.3-10.el7_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.6 Extended Update Support",
    "release_date" : "2021-03-16T00:00:00Z",
    "advisory" : "RHSA-2021:0876",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.6",
    "package" : "nss-0:3.36.0-9.el7_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.6 Extended Update Support",
    "release_date" : "2021-03-16T00:00:00Z",
    "advisory" : "RHSA-2021:0876",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.6",
    "package" : "nss-softokn-0:3.36.0-7.el7_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.7 Extended Update Support",
    "release_date" : "2021-03-30T00:00:00Z",
    "advisory" : "RHSA-2021:1026",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.7",
    "package" : "nss-softokn-0:3.44.0-9.el7_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-08-03T00:00:00Z",
    "advisory" : "RHSA-2020:3280",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nspr-0:4.25.0-2.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-08-03T00:00:00Z",
    "advisory" : "RHSA-2020:3280",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nss-0:3.53.1-11.el8_2"
  }, {
    "product_name" : "Red Hat OpenShift Do",
    "release_date" : "2021-03-22T00:00:00Z",
    "advisory" : "RHSA-2021:0949",
    "cpe" : "cpe:/a:redhat:openshift_do:1.0::el7",
    "package" : "openshiftdo/odo-init-image-rhel7:1.1.3-2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "nss",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-17006\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-17006\nhttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.46_release_notes" ],
  "name" : "CVE-2019-17006",
  "csaw" : false
}