CVE-2020-16012 - log back

CVE-2020-16012 edited at 18 Nov 2020 17:33:59
Description
- An information disclosure issue has been found in Firefox before 83.0. When drawing a transparent image on top of an unknown cross-origin image, the Skia library drawImage function took a variable amount of time depending on the content of the underlying image. This resulted in potential cross-origin information exposure of image content through timing side-channel attacks.
+ An information disclosure issue has been found in Firefox before 83.0 and chromium before 87.0.4280.66. When drawing a transparent image on top of an unknown cross-origin image, the Skia library drawImage function took a variable amount of time depending on the content of the underlying image. This resulted in potential cross-origin information exposure of image content through timing side-channel attacks.
CVE-2020-16012 edited at 18 Nov 2020 09:28:24
Description
- A parsing and event loading mismatch has been found in Firefox's SVG code before 83.0 and could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass the built-in sanitizer.
+ An information disclosure issue has been found in Firefox before 83.0. When drawing a transparent image on top of an unknown cross-origin image, the Skia library drawImage function took a variable amount of time depending on the content of the underlying image. This resulted in potential cross-origin information exposure of image content through timing side-channel attacks.
CVE-2020-16012 edited at 18 Nov 2020 07:56:01
Severity
- High
+ Medium
Type
- Access restriction bypass
+ Information disclosure
References
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26951
+ https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-16012
- https://bugzilla.mozilla.org/show_bug.cgi?id=1667113
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1642028
CVE-2020-16012 edited at 17 Nov 2020 18:35:32
Severity
- Unknown
+ High
Remote
- Unknown
+ Remote
Type
- Unknown
+ Access restriction bypass
Description
+ A parsing and event loading mismatch has been found in Firefox's SVG code before 83.0 and could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass the built-in sanitizer.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26951
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1667113
Notes
CVE-2020-16012 created at 17 Nov 2020 18:15:06