Data handling in firefox-esr (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-35112 |
| CWE-ID | CWE-19 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
firefox-esr (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Data handling
EUVDB-ID: #VU49023
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-35112
CWE-ID:
CWE-19 - Data Handling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to the way Firefox processes downloaded files without extensions on Windows operating system. If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead.
The vulnerability affects Windows installations only.
Install update from vendor's website.
Vulnerable software versionsfirefox-esr (Alpine package): 78.5.0-r0
External linkshttp://git.alpinelinux.org/aports/commit/?id=46df21240e124c7207735b2b72b12c9b0b04ae3a
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
