Lucene search

K
ibmIBMD691026F8D4572B3929210BCAE3234777206E9021CF110AA3447C126C5BBDBDF
HistoryJul 21, 2022 - 1:27 p.m.

Security Bulletin: Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud App Management

2022-07-2113:27:42
www.ibm.com
29
mozilla firefox
ibm cloud app management
remote code execution
sensitive information disclosure
use-after-free
denial of service

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.526

Percentile

97.6%

Summary

There are vulnerabilities in Mozilla Firefox used by IBM® Cloud App Management. IBM® Cloud App Management has addressed the applicable CVEs in a later version.

Vulnerability Details

**CVEID:**CVE-2020-6815 DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177421 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2020-6809 DESCRIPTION: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an error in Web Extensions when the all-urls permission could access local files. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177415 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2020-6805 DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free when removing data about an origin. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177410 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2020-6814 DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177420 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2020-6806 DESCRIPTION: Mozilla Firefox is vulnerable to a denial of service, caused by an out-of-bounds read off the end of an array resized during script execution. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to corrupt memory and cause the browser to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177412 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2020-6808 DESCRIPTION: Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by an error when a JavaScript URL (javascript:) is evaluated. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177414 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

**CVEID:**CVE-2020-6807 DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in cubeb during stream destruction. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177413 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2020-6813 DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error in @import statements when protecting CSS blocks with the nonce feature of Content Security Policy. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to inject arbitrary styles and bypass the intent of the Content Security Policy.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177419 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud App Management V2018 2019.3.0
IBM Cloud App Management V2018 2019.4.0

Remediation/Fixes

IBM Cloud App Management was updated to use a later version of Mozilla Firefox. Install or upgrade to IBM Cloud App Management 2020.1.0 or later to address these security vulnerabilities. Later versions of IBM Cloud App Management are available on IBM Passport Advantage.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmcloud_app_managementMatch2019.3.0
OR
ibmcloud_app_managementMatch2019.4.0
VendorProductVersionCPE
ibmcloud_app_management2019.3.0cpe:2.3:a:ibm:cloud_app_management:2019.3.0:*:*:*:*:*:*:*
ibmcloud_app_management2019.4.0cpe:2.3:a:ibm:cloud_app_management:2019.4.0:*:*:*:*:*:*:*

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.526

Percentile

97.6%