cbcvebase.
CVE-2020-6812
published 2020-03-25

CVE-2020-6812: The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or…

PriorityP426medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
1.56%
72.2th percentile
The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user's name. To resolve this issue, Firefox added a special case that renames devices containing the substring 'AirPods' to simply 'AirPods'. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6.

Affected

22 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianfirefox< firefox 74.0-1 (sid)firefox 74.0-1 (sid)
debianfirefox-esr< firefox 74.0-1 (sid)firefox 74.0-1 (sid)
debianthunderbird< firefox 74.0-1 (sid)firefox 74.0-1 (sid)
mozillafirefox< 74.074.0
mozillafirefox
mozillafirefox>= 0 < 74.0+build3-0ubuntu0.16.04.174.0+build3-0ubuntu0.16.04.1
mozillafirefox>= 0 < 74.0+build3-0ubuntu0.18.04.174.0+build3-0ubuntu0.18.04.1
mozillafirefox>= unspecified < 7474
mozillafirefox>= unspecified < ESR68.6ESR68.6
mozillafirefox_esr< 68.6.068.6.0
mozillafirefox_esr>= unspecified < 68.668.6
mozillathunderbird< 68.6.068.6.0
mozillathunderbird>= 0 < 1:68.6.0-11:68.6.0-1
mozillathunderbird>= 0 < 1:68.6.0-11:68.6.0-1
mozillathunderbird>= 0 < 1:68.6.0-11:68.6.0-1
mozillathunderbird>= 0 < 1:68.6.0-11:68.6.0-1
mozillathunderbird>= 0 < 1:68.7.0+build1-0ubuntu0.16.04.21:68.7.0+build1-0ubuntu0.16.04.2
mozillathunderbird>= 0 < 1:68.7.0+build1-0ubuntu0.18.04.11:68.7.0+build1-0ubuntu0.18.04.1
mozillathunderbird>= unspecified < 68.668.6

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv8.8HIGH
vendor_ubuntu8.8HIGH
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.