SB2020072961 - Arbitrary file upload in firefox-esr (Alpine package)

Description

This security bulletin contains information about 1 vulnerability.

1) Arbitrary file upload (CVE-ID: CVE-2020-15649)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actually files picked. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.11.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=4cd4a0dd2e6c9e8d082dca8588312badce9f16ba
• https://git.alpinelinux.org/aports/commit/?id=04f8e005916c290085fcf9cff34c5ed43c7b570e
• https://git.alpinelinux.org/aports/commit/?id=4078c037d203ec86019f68e2ec6e03b7b6a7fcf4