CVE-2020-25648 — HIGH (7.5)

Q: How severe is CVE-2020-25648?

CVE-2020-25648 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-25648?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Network Security Services, Redhat Enterprise Linux, Fedoraproject Fedora, Oracle Communications Offline Mediation Controller, Oracle Communications Pricing Design Center.

Vulnerability Description

A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Mozilla	Network Security Services	< 3.58
Redhat	Enterprise Linux	7.0
Fedoraproject	Fedora	31
Oracle	Communications Offline Mediation Controller	12.0.0.3.0
Oracle	Communications Pricing Design Center	12.0.0.3.0
Oracle	Jd Edwards Enterpriseone Tools	< 9.2.6.0

Related Weaknesses (CWE)

CWE-770

References

https://bugzilla.redhat.com/show_bug.cgi?id=1887319Issue TrackingThird Party Advisory
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_nRelease NotesVendor Advisory
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430
https://lists.debian.org/debian-lts-announce/2023/10/msg00039.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlNot ApplicableThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1887319Issue TrackingThird Party Advisory
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_nRelease NotesVendor Advisory
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430
https://lists.debian.org/debian-lts-announce/2023/10/msg00039.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2020-25648?

CVE-2020-25648 is a vulnerability with a CVSS score of 7.5 (HIGH). A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled w...

How severe is CVE-2020-25648?

CVE-2020-25648 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-25648?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Network Security Services, Redhat Enterprise Linux, Fedoraproject Fedora, Oracle Communications Offline Mediation Controller, Oracle Communications Pricing Design Center.