Use-after-free in firefox (Alpine package)
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-12419 |
| CWE-ID | CWE-416 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
firefox (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Use-after-free
EUVDB-ID: #VU29455
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-12419
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing callbacks that occurred during window flushing in the parent process in nsGlobalWindowInner. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsfirefox (Alpine package): 60.0.1-r0 - 77.0.1-r4
CPE2.3- cpe:2.3:a:alpine:firefox_alpine_package:60.0.1-r0:*:*:*:*:alpine_linux:*:3.8
- cpe:2.3:a:alpine:firefox_alpine_package:68.0.2-r0:*:*:*:*:alpine_linux:*:3.10
- cpe:2.3:a:alpine:firefox_alpine_package:69.0.3-r0:*:*:*:*:alpine_linux:*:3.10
https://git.alpinelinux.org/aports/commit/?id=50b9c9305ecf9f2f8a410c6ea4061b862e0d90d3
https://git.alpinelinux.org/aports/commit/?id=e4a686c2dde77849f3b4deb5bddc8f12226d6c28
https://git.alpinelinux.org/aports/commit/?id=ec5f4ee787ff7c93554db1adad3f948797da3871
https://git.alpinelinux.org/aports/commit/?id=9fdb676f9b442b62e9679953f32613ee3c3f82e1
https://git.alpinelinux.org/aports/commit/?id=692a20732e84f5c97fd8312b369d43fc43c7bfc5
https://git.alpinelinux.org/aports/commit/?id=9479fd03dc65a7561e26946980c924c4147e42d2
https://git.alpinelinux.org/aports/commit/?id=02f4c40162bc3c2f611ce86613bbf01f13e6146b
https://git.alpinelinux.org/aports/commit/?id=7ece421265010e81e06c3b8b9137b0b62f7acc73
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
