CVE-2020-12388Improper Input Validation in Mozilla Firefox

CWE-20Improper Input ValidationCWE-284Improper Access Control11 documents9 sources
Severity
10.0CRITICALNVD
EPSS
0.7%
top 27.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxMozilla Firefox ESR
Timeline
PublishedMay 26
Latest updateMay 24

Description

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8 and Firefox < 76.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages4 packages

CVEListV5mozilla/firefoxunspecified76
NVDmozilla/firefox< 76.0
CVEListV5mozilla/firefox_esrunspecified68.8
NVDmozilla/firefox_esr< 68.8.0

🔴Vulnerability Details

4
GHSA
GHSA-fx7p-g7cp-xx65: The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape2022-05-24
Project0
FF Sandbox Escape (CVE-2020-12388) - Project Zero2020-06-01
OSV
CVE-2020-12388: The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape2020-05-26
CVEList
CVE-2020-12388: The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape2020-05-26

📋Vendor Advisories

4
Red Hat
Mozilla: Sandbox escape with improperly guarded Access Tokens2020-05-05
Debian
CVE-2020-12388: firefox - The Firefox content processes did not sufficiently lockdown access control which...2020
Mozilla
Mozilla Foundation Security Advisory 2020-17: CVE-2020-12388
Mozilla
Mozilla Foundation Security Advisory 2020-16: CVE-2020-12388

💬Community

2
Bugzilla
CVE-2020-12388 Mozilla: Sandbox escape with improperly guarded Access Tokens2020-05-06
Bugzilla
Firefox: Default Content Process DACL Sandbox Escape2020-02-28
CVE-2020-12388 — Improper Input Validation in Mozilla | cvebase