CVE-2020-16012Inclusion of Functionality from Untrusted Control Sphere in Google Chrome

CWE-829Inclusion of Functionality from Untrusted Control Sphere12 documents8 sources
Severity
4.3MEDIUMNVD
EPSS
4.9%
top 10.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Google ChromeChromiumMozilla Thunderbird+6 more
Timeline
PublishedJan 8
Latest updateMay 24

Description

Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages11 packages

CVEListV5google/chromeunspecified87.0.4280.66
NVDgoogle/chrome< 87.0.4280.66
debiandebian/firefox< chromium 87.0.4280.88-0.1 (bookworm)
NVDmozilla/firefox< 83.0

Patches

Patch: crbug.comPatch: crbug.com

🔴Vulnerability Details

2
GHSA
GHSA-g84f-574q-5p85: Side-channel information leakage in graphics in Google Chrome prior to 872022-05-24
OSV
CVE-2020-16012: Side-channel information leakage in graphics in Google Chrome prior to 872021-01-08

📋Vendor Advisories

9
Ubuntu
Thunderbird vulnerabilities2020-11-25
Ubuntu
Firefox vulnerabilities2020-11-19
Ubuntu
Firefox vulnerabilities2020-11-18
Chrome
Stable Channel Update for Desktop: CVE-2020-160122020-11-17
Red Hat
Mozilla: Variable time processing of cross-origin images during drawImage calls2020-11-17