CVE-2020-12423 — Uncontrolled Search Path Element in Mozilla Firefox

CWE-427 — Uncontrolled Search Path Element CWE-426 — Untrusted Search Path8 documents7 sources

Severity

7.8HIGHNVD

EPSS

0.3%

top 48.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedJul 9

Latest updateMay 24

Description

When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution. *Note: This issue only affects the Windows operating system; other operating systems are unaffected.* This vulnerability affects Firefox < 78.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5mozilla/firefoxunspecified — 78

▶NVDmozilla/firefox< 78.0

▶debiandebian/firefox

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-qj63-c77f-88gh: When the Windows DLL "webauthn↗2022-05-24

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: REST API (Apache CXF) — CVE-2019-12423↗2020-07-15

▶

Red Hat

Mozilla: DLL Hijacking due to searching %PATH% for a library↗2020-06-30

▶

Debian

CVE-2020-12423: firefox - When the Windows DLL "webauthn.dll" was missing from the Operating System, and a...↗2020

▶

Mozilla

Mozilla Foundation Security Advisory 2020-29: CVE-2020-12423↗

▶

Mozilla

Mozilla Foundation Security Advisory 2020-24: CVE-2020-12423↗

▶

💬Community

Bugzilla

CVE-2020-12423 Mozilla: DLL Hijacking due to searching %PATH% for a library↗2020-08-26

▶