CVE-2019-17023
medium
CVSS v3
—
CVSS v2
—
VIR risk
5.5
Description
After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2020:3280
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2019-17023
Vendor advisory: arch — https://security.archlinux.org/ASA-202001-1
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 72.0-1 | |
| debian | sid | fixed | 72.0-1 |
| rocky | 8 | fixed | |
| debian | bookworm | fixed | 2:3.49-1 |
| debian | bullseye | fixed | 2:3.49-1 |
| debian | forky | fixed | 2:3.49-1 |
| debian | trixie | fixed | 2:3.49-1 |
References
Verify integrity in audit chain (admin only). AS-IS.