ALAS2-2020-1379 --- nss-softoknID: oval:org.secpod.oval:def:1700291 | Date: (C)2020-01-14 (M)2024-04-17 |
Class: PATCH | Family: unix |
Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR lt; 60.8, Firefox lt; 68, and Thunderbird lt; 60.8. A heap-based buffer overflow was found in the NSC_EncryptUpdate function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application . While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well