Buffer overflow in mozjs68 (Alpine package)

1) Buffer overflow

EUVDB-ID: #VU28527

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-12410

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

mozjs68 (Alpine package): 68.8.0-r0

External links

http://git.alpinelinux.org/aports/commit/?id=aadba671901181be240a1d151a9f3a04f2ce3ca5
http://git.alpinelinux.org/aports/commit/?id=37e37d549603b29c55fafcde8f3732cfb9db1640
http://git.alpinelinux.org/aports/commit/?id=c3bc99eb0be5fedab0fdd751a54afe87028c920b
http://git.alpinelinux.org/aports/commit/?id=da1c1b9ae466f66ae95fc66418a02c3ae10be583
http://git.alpinelinux.org/aports/commit/?id=5d9ca1b5fa041ac0d09e2bd2038f505e06c7d7f5
http://git.alpinelinux.org/aports/commit/?id=b3181176e64948e2cd534829b0e3883aed67a27c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.