General : Mozilla Firefox Security Advisory (MFSA2020-12)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.2.1.2020.12

Category: General

Title: Mozilla Firefox Security Advisory (MFSA2020-12) - Linux

Summary: This host is missing a security update for Mozilla Firefox.

Description: Summary:
This host is missing a security update for Mozilla Firefox.

Vulnerability Insight:
CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method
When reading from areas partially or fully outside the source resource with WebGL's copyTexSubImage method, the specification requires the returned values be zero. Previously, this memory was uninitialized, leading to potentially sensitive data disclosure.

CVE-2020-6822: Out of bounds write in GMPDecodeData when processing large images
On 32-bit builds, an out of bounds write could have occurred when processing an image larger than 4 GB in GMPDecodeData. It is possible that with enough effort this could have been exploited to run arbitrary code.

CVE-2020-6823: Malicious Extension could obtain auth codes from OAuth login flows
A malicious extension could have called browser.identity.launchWebAuthFlow, controlling the redirect_uri, and through the Promise returned, obtain the Auth code and gain access to the user's account at the service provider.

CVE-2020-6824: Generated passwords may be identical on the same site between separate private browsing sessions
Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private Browsing Window, revisited the same site, and generated a new password - the generated passwords would have been identical, rather than independent.

CVE-2020-6825: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2020-6826: Memory safety bugs fixed in Firefox 75
Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory safety bugs present in Firefox 74. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

Affected Software/OS:
Firefox version(s) below 75.

Solution:
The vendor has released an update. Please see the reference(s) for more information.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2020-6821
https://bugzilla.mozilla.org/show_bug.cgi?id=1625404
https://www.mozilla.org/security/advisories/mfsa2020-12/
https://www.mozilla.org/security/advisories/mfsa2020-13/
https://www.mozilla.org/security/advisories/mfsa2020-14/
https://usn.ubuntu.com/4335-1/
Common Vulnerability Exposure (CVE) ID: CVE-2020-6822
https://bugzilla.mozilla.org/show_bug.cgi?id=1544181
Common Vulnerability Exposure (CVE) ID: CVE-2020-6823
https://bugzilla.mozilla.org/show_bug.cgi?id=1614919
Common Vulnerability Exposure (CVE) ID: CVE-2020-6824
https://bugzilla.mozilla.org/show_bug.cgi?id=1621853
Common Vulnerability Exposure (CVE) ID: CVE-2020-6825
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1572541%2C1620193%2C1620203
Common Vulnerability Exposure (CVE) ID: CVE-2020-6826
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1613009%2C1613195%2C1616734%2C1617488%2C1619229%2C1620719%2C1624897

Copyright Copyright (C) 2021 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.2.1.2020.12
Category:	General
Title:	Mozilla Firefox Security Advisory (MFSA2020-12) - Linux
Summary:	This host is missing a security update for Mozilla Firefox.
Description:	Summary: This host is missing a security update for Mozilla Firefox. Vulnerability Insight: CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method When reading from areas partially or fully outside the source resource with WebGL's copyTexSubImage method, the specification requires the returned values be zero. Previously, this memory was uninitialized, leading to potentially sensitive data disclosure. CVE-2020-6822: Out of bounds write in GMPDecodeData when processing large images On 32-bit builds, an out of bounds write could have occurred when processing an image larger than 4 GB in GMPDecodeData. It is possible that with enough effort this could have been exploited to run arbitrary code. CVE-2020-6823: Malicious Extension could obtain auth codes from OAuth login flows A malicious extension could have called browser.identity.launchWebAuthFlow, controlling the redirect_uri, and through the Promise returned, obtain the Auth code and gain access to the user's account at the service provider. CVE-2020-6824: Generated passwords may be identical on the same site between separate private browsing sessions Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private Browsing Window, revisited the same site, and generated a new password - the generated passwords would have been identical, rather than independent. CVE-2020-6825: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7 Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. CVE-2020-6826: Memory safety bugs fixed in Firefox 75 Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory safety bugs present in Firefox 74. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Affected Software/OS: Firefox version(s) below 75. Solution: The vendor has released an update. Please see the reference(s) for more information. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2020-6821 https://bugzilla.mozilla.org/show_bug.cgi?id=1625404 https://www.mozilla.org/security/advisories/mfsa2020-12/ https://www.mozilla.org/security/advisories/mfsa2020-13/ https://www.mozilla.org/security/advisories/mfsa2020-14/ https://usn.ubuntu.com/4335-1/ Common Vulnerability Exposure (CVE) ID: CVE-2020-6822 https://bugzilla.mozilla.org/show_bug.cgi?id=1544181 Common Vulnerability Exposure (CVE) ID: CVE-2020-6823 https://bugzilla.mozilla.org/show_bug.cgi?id=1614919 Common Vulnerability Exposure (CVE) ID: CVE-2020-6824 https://bugzilla.mozilla.org/show_bug.cgi?id=1621853 Common Vulnerability Exposure (CVE) ID: CVE-2020-6825 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1572541%2C1620193%2C1620203 Common Vulnerability Exposure (CVE) ID: CVE-2020-6826 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1613009%2C1613195%2C1616734%2C1617488%2C1619229%2C1620719%2C1624897
Copyright	Copyright (C) 2021 Greenbone Networks GmbH