Memory leak in firefox (Alpine package)



Published: 2020-06-02
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-12407
CWE-ID CWE-401
Exploitation vector Local
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe 		firefox (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Memory leak

EUVDB-ID: #VU28525

Risk: Low

CVSSv3.1: 1.8 [CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-12407

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to view memory contents

The vulnerability exists due memory leak in WebRender. An attacker with physical access to the system can open a specially crafted web page and view contents of GPU memory on screen.

Mitigation

Install update from vendor's website.

Vulnerable software versions

firefox (Alpine package): 76.0.1-r1

External links

http://git.alpinelinux.org/aports/commit/?id=66010d68451b4eac4d3f7315739fd156bd840f21
http://git.alpinelinux.org/aports/commit/?id=8dc0bf1501171d97e4b280f12987e24bf3cc53f7


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###