Vulnerability Name:

CVE-2020-12403 (CCN-187746)

Assigned:2020-07-27
Published:2020-07-27
Updated:2023-03-24
Summary:
CVSS v3 Severity:9.1 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
7.9 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): High
6.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H)
5.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): High
7.4 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H)
6.4 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): Partial
6.6 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): Complete
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2020-12403

Source: CCN
Type: Red Hat Bugzilla – Bug 1868931
(CVE-2020-12403) - CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read

Source: security@mozilla.org
Type: Issue Tracking, Patch, Third Party Advisory
security@mozilla.org

Source: CCN
Type: Mozilla Web site
NSS 3.55 release notes

Source: security@mozilla.org
Type: Release Notes, Vendor Advisory
security@mozilla.org

Source: XF
Type: UNKNOWN
mozilla-nss-cve202012403-info-disc(187746)

Source: security@mozilla.org
Type: UNKNOWN
security@mozilla.org

Source: security@mozilla.org
Type: UNKNOWN
security@mozilla.org

Source: CCN
Type: IBM Security Bulletin 6403279 (Security Privileged Identity Manager)
IBM Security Privileged Identity Manager is affected by security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6403293 (MQ Appliance)
IBM MQ Appliance is affected by multiple nss and nspr vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6453115 (Cloud Pak for Security)
Cloud Pak for Security contains security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6457719 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-17006, CVE-2019-17023, CVE-2020-12403)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-12403

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:mozilla:network_security_services:3.54:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.0.0:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_privileged_identity_manager:2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.0.2:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.2:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.0.3:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.3:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.4:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.5:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.0.6:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.2.0.0:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.2.0.1:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.4.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.5.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.6.0.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7591
    P
    		libfreebl3-3.79.4-150400.3.29.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:3006
    P
    		ant-1.9.4-3.3.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94636
    P
    		libfreebl3-3.68.3-150400.1.7 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:112631
    P
    		libfreebl3-3.69.1-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106113
    P
    		libfreebl3-3.69.1-1.2 on GA media (Moderate)
    2021-10-01
    oval:com.redhat.rhsa:def:20210538
    P
    		RHSA-2021:0538: nss security and bug fix update (Moderate)
    2021-02-16
    oval:com.redhat.rhsa:def:20204076
    P
    		RHSA-2020:4076: nss and nspr security, bug fix, and enhancement update (Moderate)
    2020-09-29
    BACK
    mozilla network security services 3.54
    ibm security identity governance and intelligence 5.2.4
    ibm mq appliance 9.1.0.0
    ibm mq appliance 9.1.0.1
    ibm mq appliance 9.1.1
    ibm security privileged identity manager 2.1.1
    ibm mq appliance 9.1.0.2
    ibm mq appliance 9.1.2
    ibm mq appliance 9.1.0.3
    ibm mq appliance 9.1.3
    ibm security identity governance and intelligence 5.2.5
    ibm mq appliance 9.1.0.4
    ibm mq appliance 9.1.4
    ibm security identity governance and intelligence 5.2.6
    ibm mq appliance 9.1.5
    ibm mq appliance 9.1.0.6
    ibm mq appliance 9.2.0.0
    ibm mq appliance 9.2.0.1
    ibm cloud pak for security 1.4.0.0
    ibm cloud pak for security 1.6.0.0
    ibm cloud pak for security 1.5.0.1
    ibm cloud pak for security 1.5.0.0
    ibm cloud pak for security 1.6.0.1