CVE-2020-16012
published 2021-01-08CVE-2020-16012: Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
PriorityP419medium4.3CVSS 3.1
AVNACLPRNUIRSUCLINAN
EPSS
2.47%
82.6th percentile
Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 87.0.4280.88-0.1 | 87.0.4280.88-0.1 |
| chromium | chromium | >= 0 < 87.0.4280.88-0.1 | 87.0.4280.88-0.1 |
| chromium | chromium | >= 0 < 87.0.4280.88-0.1 | 87.0.4280.88-0.1 |
| chromium | chromium | >= 0 < 87.0.4280.88-0.1 | 87.0.4280.88-0.1 |
| debian | chromium | < chromium 87.0.4280.88-0.1 (bookworm) | chromium 87.0.4280.88-0.1 (bookworm) |
| debian | firefox | < chromium 87.0.4280.88-0.1 (bookworm) | chromium 87.0.4280.88-0.1 (bookworm) |
| debian | firefox-esr | < chromium 87.0.4280.88-0.1 (bookworm) | chromium 87.0.4280.88-0.1 (bookworm) |
| debian | thunderbird | < chromium 87.0.4280.88-0.1 (bookworm) | chromium 87.0.4280.88-0.1 (bookworm) |
| chrome | < 87.0.4280.66 | 87.0.4280.66 | |
| chrome | >= unspecified < 87.0.4280.66 | 87.0.4280.66 | |
| chrome_chrome | — | — | |
| mozilla | firefox | < 83.0 | 83.0 |
| mozilla | firefox | — | — |
| mozilla | thunderbird | >= 0 < 1:78.5.0-1 | 1:78.5.0-1 |
| mozilla | thunderbird | >= 0 < 1:78.5.0-1 | 1:78.5.0-1 |
| mozilla | thunderbird | >= 0 < 1:78.5.0-1 | 1:78.5.0-1 |
| mozilla | thunderbird | >= 0 < 1:78.5.0-1 | 1:78.5.0-1 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2020-11-25
CVE-2020-16012 Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
obtain sensitive information across origins, bypass security restrictions,
conduct phishing attacks, conduct cross-site scripting (XSS) attacks,
bypass Content Security Policy (CSP) restrictions, conduct DNS rebinding
attacks, or execute arbitrary code.
Instructions: After a standard system update you need to restart Thunderbird to make
all the necessary changes.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2020-11-19
CVE-2020-26958 Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
USN-4637-1 fixed vulnerabilities in Firefox. This update provides the
corresponding updates for Ubuntu 16.04 LTS.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across origins, bypass security restrictions, conduct phishing
attacks, conduct cross-site scripting (XSS) attacks, bypass Content
Security Policy (CSP) restrictions, conduct DNS rebinding attacks, or
execute arbitrary code.
Instructions: After a standard system update you need to restart Firefox
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2020-11-18
CVE-2020-26952 Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across origins, bypass security restrictions, conduct phishing
attacks, conduct cross-site scripting (XSS) attacks, bypass Content
Security Policy (CSP) restrictions, conduct DNS rebinding attacks, or
execute arbitrary code.
Instructions: After a standard system update you need to restart Firefox to make
all the necessary changes.
Chrome
Stable Channel Update for Desktop: CVE-2020-16012
vendor_chrome·2020-11-17·CVSS 4.3
CVE-2020-16012 [LOW] Stable Channel Update for Desktop: CVE-2020-16012
Stable Channel Update for Desktop
CVE-2020-16012: Side-channel information leakage in graphics. Reported by Aleksejs Popovs on 2020-05-30 [$500][ 830808 ] Low CVE-2020-16036: Inappropriate implementation in cookies
Reported by Jun Kokatsu (@shhnjk) on 2018-04-09 We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel
Severity: low
Red Hat
Mozilla: Variable time processing of cross-origin images during drawImage calls
vendor_redhat·2020-11-17·CVSS 4.3
CVE-2020-16012 [MEDIUM] CWE-829 Mozilla: Variable time processing of cross-origin images during drawImage calls
Mozilla: Variable time processing of cross-origin images during drawImage calls
Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
Package: firefox (Red Hat Enterprise Linux 5) - Out of support scope
Package: chromium-browser (Red Hat Enterprise Linux 6) - Will not fix
Debian
CVE-2020-16012: chromium - Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280...
vendor_debian·2020·CVSS 4.3
CVE-2020-16012 [MEDIUM] CVE-2020-16012: chromium - Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280...
Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 87.0.4280.88-0.1)
bullseye: resolved (fixed in 87.0.4280.88-0.1)
forky: resolved (fixed in 87.0.4280.88-0.1)
sid: resolved (fixed in 87.0.4280.88-0.1)
trixie: resolved (fixed in 87.0.4280.88-0.1)
Mozilla
Mozilla Foundation Security Advisory 2020-52: CVE-2020-16012
vendor_mozilla·CVSS 4.3
CVE-2020-16012 [MEDIUM] Mozilla Foundation Security Advisory 2020-52: CVE-2020-16012
Mozilla Foundation Security Advisory 2020-52
CVE: CVE-2020-16012
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 78.5
Mozilla
Mozilla Foundation Security Advisory 2020-51: CVE-2020-16012
vendor_mozilla·CVSS 4.3
CVE-2020-16012 [MEDIUM] Mozilla Foundation Security Advisory 2020-51: CVE-2020-16012
Mozilla Foundation Security Advisory 2020-51
CVE: CVE-2020-16012
Product: Firefox ESR
Impact: high
Fixed in: Firefox ESR 78.5
Mozilla
Mozilla Foundation Security Advisory 2020-50: CVE-2020-16012
vendor_mozilla·CVSS 4.3
CVE-2020-16012 [MEDIUM] Mozilla Foundation Security Advisory 2020-50: CVE-2020-16012
Mozilla Foundation Security Advisory 2020-50
CVE: CVE-2020-16012
Product: Firefox
Impact: high
Fixed in: Firefox 83
GHSA
GHSA-g84f-574q-5p85: Side-channel information leakage in graphics in Google Chrome prior to 87
ghsa_unreviewed·2022-05-24
CVE-2020-16012 [MEDIUM] GHSA-g84f-574q-5p85: Side-channel information leakage in graphics in Google Chrome prior to 87
Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
OSV
CVE-2020-16012: Side-channel information leakage in graphics in Google Chrome prior to 87
osv·2021-01-08·CVSS 4.3
CVE-2020-16012 [MEDIUM] CVE-2020-16012: Side-channel information leakage in graphics in Google Chrome prior to 87
Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-01-08
Published