CVE-2019-11745

HIGH

Thunderbird <68.3-Firefox <71 - Buffer Overflow

Title source: llm

Description

When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.

References (17)

Core 17

Core References

Vendor Advisory x_refsource_confirm

https://www.mozilla.org/security/advisories/mfsa2019-36/

Vendor Advisory x_refsource_confirm

https://www.mozilla.org/security/advisories/mfsa2019-38/

Vendor Advisory x_refsource_confirm

https://www.mozilla.org/security/advisories/mfsa2019-37/

Issue Tracking, Patch, Vendor Advisory x_refsource_confirm

https://bugzilla.mozilla.org/show_bug.cgi?id=1586176

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html

Issue Tracking, Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/4241-1/

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0243

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0466

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/202003-02

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/202003-10

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/202003-37

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/4335-1/

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html

Third Party Advisory x_refsource_confirm

https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf

Third Party Advisory, US Government Resource x_refsource_misc

https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04

Scores

CVSS v3 8.8

EPSS 0.0081

EPSS Percentile 74.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-787

Status published

Products (17)

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 19.10

debian/debian_linux 9.0

mozilla/firefox < 71.0

mozilla/firefox_esr < 68.3

mozilla/thunderbird < 68.3.0

opensuse/leap 15.1

redhat/enterprise_linux_server_aus 6.6

siemens/ruggedcom_rox_mx5000_firmware < 2.14.0

... and 7 more

Published Jan 08, 2020

Tracked Since Feb 18, 2026