Arbitrary file upload in mozjs68 (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-15649 |
| CWE-ID | CWE-434 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
mozjs68 (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Arbitrary file upload
EUVDB-ID: #VU45686
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15649
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actually files picked. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.11.
MitigationInstall update from vendor's website.
Vulnerable software versionsmozjs68 (Alpine package): 68.10.0-r0
CPE2.3 External linkshttps://git.alpinelinux.org/aports/commit/?id=4cd4a0dd2e6c9e8d082dca8588312badce9f16ba
https://git.alpinelinux.org/aports/commit/?id=04f8e005916c290085fcf9cff34c5ed43c7b570e
https://git.alpinelinux.org/aports/commit/?id=4078c037d203ec86019f68e2ec6e03b7b6a7fcf4
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
