Insecure DLL loading in firefox (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-15657 |
| CWE-ID | CWE-427 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
firefox (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Insecure DLL loading
EUVDB-ID: #VU32904
Risk: Low
CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15657
CWE-ID:
CWE-427 - Uncontrolled Search Path Element
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the application loads DLL libraries in an insecure manner from the installation directory. A remote attacker can place a specially crafted .dll file into directory, from which Firefox is being installed, trick the victim into launching the Firefox installer and execute arbitrary code on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsfirefox (Alpine package): 78.0.2-r1
External linkshttp://git.alpinelinux.org/aports/commit/?id=ecfc67fc0aa1c8be66b005da45f868c730633a4e
http://git.alpinelinux.org/aports/commit/?id=78431c6461742f7904f5cd815bbed5f76852a8aa
http://git.alpinelinux.org/aports/commit/?id=d28edc9bebe787d7cff81e5dc7200f5b78fd3797
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
