Your submission was sent successfully! Close

CVE-2020-25648

Published: 20 October 2020

A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
nss
Launchpad, Ubuntu, Debian
bionic
Released (2:3.35-2ubuntu2.14)
focal
Released (2:3.49.1-1ubuntu1.7)
groovy Ignored
(reached end-of-life)
hirsute Not vulnerable
(3.61-1ubuntu2)
impish Not vulnerable
(3.61-1ubuntu2)
jammy Not vulnerable
(3.61-1ubuntu2)
precise Ignored
(end of ESM support, was needs-triage)
trusty Needs triage

upstream
Released (2:3.61-1)
xenial Needs triage

Notes

AuthorNote
leosilva
From SUSE and Rhel: This issue affects servers which are compiled against the NSS library.
Other consumers of NSS like firefox etc are not
affected by this flaw.

References

Bugs