CVE-2020-25648
HIGHNetwork Security Services < 3.58 - Denial of Service via TLS 1.3 CCS Message Flood
Title source: llmDescription
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.
References (10)
Core 10
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RPOLN6DJUYQ3QBQEGLZGV73SNIPK7GHV/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRM53IQCPZT2US3M7JXTP6I6IBA5RGOD/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERA5SVJQXQMDGES7RIT4F4NQVLD35RXN/
Mailing List mailing-list
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/10/msg00039.html
Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1887319
Release Notes, Vendor Advisory
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes
Patch, Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html
Not Applicable, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Scores
CVSS v3
7.5
EPSS
0.0010
EPSS Percentile
26.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-770
Status
published
Products (9)
fedoraproject/fedora
31
fedoraproject/fedora
32
fedoraproject/fedora
33
mozilla/network_security_services
< 3.58
oracle/communications_offline_mediation_controller
12.0.0.3.0
oracle/communications_pricing_design_center
12.0.0.3.0
oracle/jd_edwards_enterpriseone_tools
< 9.2.6.0
redhat/enterprise_linux
7.0
redhat/enterprise_linux
8.0
Published
Oct 20, 2020
Tracked Since
Feb 18, 2026