First published: Tue Mar 10 2020(Updated: )
By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during script execution. This could have led to memory corruption and a potentially exploitable crash.
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Firefox ESR | <68.6 | 68.6 |
Mozilla Thunderbird | <68.6 | 68.6 |
redhat/firefox | <68.6 | 68.6 |
redhat/thunderbird | <68.6 | 68.6 |
Mozilla Firefox | <74 | 74 |
Mozilla Firefox | <74.0 | |
Mozilla Firefox ESR | <68.6.0 | |
Mozilla Thunderbird | <68.6.0 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =19.10 | |
debian/firefox | 133.0.3-1 | |
debian/firefox-esr | 115.14.0esr-1~deb11u1 128.5.0esr-1~deb11u1 128.3.1esr-1~deb12u1 128.5.0esr-1~deb12u1 128.5.0esr-1 128.5.1esr-1 | |
debian/thunderbird | 1:115.12.0-1~deb11u1 1:128.5.0esr-1~deb11u1 1:115.16.0esr-1~deb12u1 1:128.5.0esr-1~deb12u1 1:128.5.2esr-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2020-6806 is a vulnerability in Mozilla Firefox and Thunderbird that allows for an out-of-bounds read off the end of an array during script execution, potentially leading to memory corruption and a crash.
CVE-2020-6806 affects Mozilla Firefox versions up to 74, Mozilla Thunderbird versions up to 68.6, and Mozilla Firefox ESR versions up to 68.6.
CVE-2020-6806 has a severity rating of high (7) based on the Common Vulnerability Scoring System (CVSS).
To fix CVE-2020-6806, upgrade Mozilla Firefox to version 74 or later, Mozilla Thunderbird to version 68.6 or later, or Mozilla Firefox ESR to version 68.6 or later.
You can find more information about CVE-2020-6806 on the Mozilla Bugzilla and Mozilla security advisories pages.