Risk | High |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2020-12406 |
CWE-ID | CWE-843 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
firefox (Alpine package) Operating systems & Components / Operating system package or component |
Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one high risk vulnerability.
EUVDB-ID: #VU28524
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-12406
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error during unboxed JavaScript objects removal. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsfirefox (Alpine package): 76.0.1-r1
CPE2.3 External linkshttp://git.alpinelinux.org/aports/commit/?id=aadba671901181be240a1d151a9f3a04f2ce3ca5
http://git.alpinelinux.org/aports/commit/?id=37e37d549603b29c55fafcde8f3732cfb9db1640
http://git.alpinelinux.org/aports/commit/?id=c3bc99eb0be5fedab0fdd751a54afe87028c920b
http://git.alpinelinux.org/aports/commit/?id=da1c1b9ae466f66ae95fc66418a02c3ae10be583
http://git.alpinelinux.org/aports/commit/?id=5d9ca1b5fa041ac0d09e2bd2038f505e06c7d7f5
http://git.alpinelinux.org/aports/commit/?id=b3181176e64948e2cd534829b0e3883aed67a27c
http://git.alpinelinux.org/aports/commit/?id=66010d68451b4eac4d3f7315739fd156bd840f21
http://git.alpinelinux.org/aports/commit/?id=8dc0bf1501171d97e4b280f12987e24bf3cc53f7
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.