CVE-2020-12417 — HIGH (8.8)

Q: How severe is CVE-2020-12417?

CVE-2020-12417 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-12417?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Firefox Esr, Mozilla Thunderbird, Canonical Ubuntu Linux, Opensuse Leap.

Vulnerability Description

Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash. *Note: this issue only affects Firefox on ARM64 platforms.* This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Mozilla	Firefox	< 78.0
Mozilla	Firefox Esr	< 68.10.0
Mozilla	Thunderbird	< 68.10.0
Canonical	Ubuntu Linux	16.04
Opensuse	Leap	15.1

Related Weaknesses (CWE)

CWE-787 CWE-617 CWE-681

References

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00023.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00026.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00027.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00049.htmlMailing ListThird Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1640737ExploitIssue TrackingVendor Advisory
https://security.gentoo.org/glsa/202007-09Third Party Advisory
https://security.gentoo.org/glsa/202007-10Third Party Advisory
https://usn.ubuntu.com/4421-1/Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2020-24/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-25/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-26/Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00023.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00026.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00027.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00049.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2020-12417?

CVE-2020-12417 is a vulnerability with a CVSS score of 8.8 (HIGH). Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash. *Note: this issue only affects ...

How severe is CVE-2020-12417?

CVE-2020-12417 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-12417?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Firefox Esr, Mozilla Thunderbird, Canonical Ubuntu Linux, Opensuse Leap.