{
  "threat_severity" : "Moderate",
  "public_date" : "2020-07-27T00:00:00Z",
  "bugzilla" : {
    "description" : "nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read",
    "id" : "1868931",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1868931"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability.", "A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability." ],
  "acknowledgement" : "Red Hat would like to thank the Mozilla Project for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-09-29T00:00:00Z",
    "advisory" : "RHSA-2020:4076",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "nspr-0:4.25.0-2.el7_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-09-29T00:00:00Z",
    "advisory" : "RHSA-2020:4076",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "nss-0:3.53.1-3.el7_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-09-29T00:00:00Z",
    "advisory" : "RHSA-2020:4076",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "nss-softokn-0:3.53.1-6.el7_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-09-29T00:00:00Z",
    "advisory" : "RHSA-2020:4076",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "nss-util-0:3.53.1-1.el7_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.4 Advanced Update Support",
    "release_date" : "2021-03-09T00:00:00Z",
    "advisory" : "RHSA-2021:0758",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.4",
    "package" : "nss-softokn-0:3.28.3-10.el7_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.4 Telco Extended Update Support",
    "release_date" : "2021-03-09T00:00:00Z",
    "advisory" : "RHSA-2021:0758",
    "cpe" : "cpe:/o:redhat:rhel_tus:7.4",
    "package" : "nss-softokn-0:3.28.3-10.el7_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions",
    "release_date" : "2021-03-09T00:00:00Z",
    "advisory" : "RHSA-2021:0758",
    "cpe" : "cpe:/o:redhat:rhel_e4s:7.4",
    "package" : "nss-softokn-0:3.28.3-10.el7_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.6 Extended Update Support",
    "release_date" : "2021-03-16T00:00:00Z",
    "advisory" : "RHSA-2021:0876",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.6",
    "package" : "nss-0:3.36.0-9.el7_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.6 Extended Update Support",
    "release_date" : "2021-03-16T00:00:00Z",
    "advisory" : "RHSA-2021:0876",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.6",
    "package" : "nss-softokn-0:3.36.0-7.el7_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.7 Extended Update Support",
    "release_date" : "2021-03-30T00:00:00Z",
    "advisory" : "RHSA-2021:1026",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.7",
    "package" : "nss-softokn-0:3.44.0-9.el7_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-02-16T00:00:00Z",
    "advisory" : "RHSA-2021:0538",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nss-0:3.53.1-17.el8_3"
  }, {
    "product_name" : "Red Hat OpenShift Do",
    "release_date" : "2021-03-22T00:00:00Z",
    "advisory" : "RHSA-2021:0949",
    "cpe" : "cpe:/a:redhat:openshift_do:1.0::el7",
    "package" : "openshiftdo/odo-init-image-rhel7:1.1.3-2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Out of support scope",
    "package_name" : "nss",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "nss",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-12403\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-12403\nhttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes" ],
  "name" : "CVE-2020-12403",
  "csaw" : false
}