Information Disclosure

2020-11-2010:23:57

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

JSON

firefox is vulnerable to information disclosure. When drawing a transparent image on top of an unknown cross-origin image, the Skia library drawImage function takes a variable amount of time depending on the content of the underlying image. This can result in potential cross-origin information exposure of image content through timing side-channel attacks.

CPENameOperatorVersion
firefox:develeq81.0+build1
firefox:develeq80.0.1+build1
firefox:develeq78.0.1+build1
firefox:xenialeq80.0.1+build1
firefox:xenialeq45.0.2+build1
firefox:xenialeq80.0+build2
firefox:groovyeq81.0+build1
firefox:groovyeq80.0.1+build1
firefox:groovyeq78.0.1+build1
firefox:groovyeq80.0+build2

Name	Operator	Version
firefox:devel	eq	81.0+build1
firefox:devel	eq	80.0.1+build1
firefox:devel	eq	78.0.1+build1
firefox:xenial	eq	80.0.1+build1
firefox:xenial	eq	45.0.2+build1
firefox:xenial	eq	80.0+build2
firefox:groovy	eq	81.0+build1
firefox:groovy	eq	80.0.1+build1
firefox:groovy	eq	78.0.1+build1
firefox:groovy	eq	80.0+build2