Vulnerability Description
After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 72.0 |
| Canonical | Ubuntu Linux | 16.04 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1590001Issue TrackingPermissions Required
- https://usn.ubuntu.com/4234-1/Third Party Advisory
- https://usn.ubuntu.com/4397-1/Third Party Advisory
- https://www.debian.org/security/2020/dsa-4726Third Party Advisory
- https://www.mozilla.org/security/advisories/mfsa2020-01/Vendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1590001Issue TrackingPermissions Required
- https://usn.ubuntu.com/4234-1/Third Party Advisory
- https://usn.ubuntu.com/4397-1/Third Party Advisory
- https://www.debian.org/security/2020/dsa-4726Third Party Advisory
- https://www.mozilla.org/security/advisories/mfsa2020-01/Vendor Advisory
FAQ
What is CVE-2019-17023?
CVE-2019-17023 is a vulnerability with a CVSS score of 6.5 (MEDIUM). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, ...
How severe is CVE-2019-17023?
CVE-2019-17023 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-17023?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Canonical Ubuntu Linux, Debian Debian Linux.