Input validation error in firefox-esr (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-15658 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
firefox-esr (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Input validation error
EUVDB-ID: #VU32903
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15658
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to insufficient validation of special characters during file download,
which led to an attacker being able to cut off the file ending at an
earlier position, leading to a different file type being downloaded than
shown in the dialog. A remote attacker can override file type when saving data to disk.
Install update from vendor's website.
Vulnerable software versionsfirefox-esr (Alpine package): 78.0.2-r1
CPE2.3 External linkshttp://git.alpinelinux.org/aports/commit/?id=ecfc67fc0aa1c8be66b005da45f868c730633a4e
http://git.alpinelinux.org/aports/commit/?id=78431c6461742f7904f5cd815bbed5f76852a8aa
http://git.alpinelinux.org/aports/commit/?id=d28edc9bebe787d7cff81e5dc7200f5b78fd3797
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
