#VU47910 Allocation of Resources Without Limits or Throttling in Mozilla NSS - CVE-2020-25648
Published: October 21, 2020 / Updated: October 26, 2020
Vulnerability identifier: #VU47910
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-25648
CWE-ID: CWE-770
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Mozilla NSS
Mozilla NSS
Software vendor:
Mozilla
Mozilla
Description
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.
Remediation
Install update from vendor's website.