Vulnerability Details : CVE-2020-6820
Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1.
Vulnerability category: Memory Corruption
Products affected by CVE-2020-6820
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
CVE-2020-6820 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Mozilla Firefox And Thunderbird Use-After-Free Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Mozilla Firefox and Thunderbird contain a race condition vulnerability when handling a ReadableStream under certain conditions. The race condition creates a use-after-free vulnerability, causing unspecified impacts.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2020-6820
Added on
2021-11-03
Action due date
2022-05-03
Exploit prediction scoring system (EPSS) score for CVE-2020-6820
1.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-6820
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2020-6820
-
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-6820
-
https://www.mozilla.org/security/advisories/mfsa2020-11/
Security Vulnerabilities fixed in Firefox 74.0.1 and Firefox ESR 68.6.1 — MozillaVendor Advisory
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1626728
Access DeniedIssue Tracking;Permissions Required
-
https://usn.ubuntu.com/4335-1/
USN-4335-1: Thunderbird vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.mozilla.org/security/advisories/mfsa2020-14/
Security Vulnerabilities fixed in Thunderbird 68.7.0 — MozillaVendor Advisory
Jump to