Vulnerability CVE-2020-26976

Vulnerability Name:

CVE-2020-26976 (CCN-193224)

Assigned:

2020-12-15

Published:

2020-12-15

Updated:

2021-02-15

Summary:

When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. This vulnerability affects Firefox < 84.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

6.1 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-noinfo
CWE-200

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2020-26976

Source: MISC
Type: Issue Tracking, Permissions Required, Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1674343

Source: XF
Type: UNKNOWN
firefox-cve202026976-sec-bypass(193224)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210202 [SECURITY] [DLA 2539-1] firefox-esr security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210202 [SECURITY] [DLA 2541-1] thunderbird security update

Source: GENTOO
Type: Third Party Advisory
GLSA-202102-02

Source: DEBIAN
Type: Third Party Advisory
DSA-4840

Source: DEBIAN
Type: Third Party Advisory
DSA-4842

Source: CCN
Type: IBM Security Bulletin 6454029 (Cloud Pak for Multicloud Management)
Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud Pak for Multicloud Management Monitoring

Source: CCN
Type: Mozilla Foundation Security Advisory 2020-54
Security Vulnerabilities fixed in Firefox 84

Source: MISC
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-54/

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version < 84.0)

Configuration 2:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7868	P	MozillaFirefox-102.11.0-150200.152.87.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:645	P	Security update for php7 (Moderate) (in QA)	2022-10-04
oval:org.opensuse.security:def:95329	P	Security update for python3 (Important)	2022-07-11
oval:org.opensuse.security:def:3546	P	libICE6-1.0.8-12.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3252	P	libsmi-0.4.8-18.55 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94788	P	ppc64-diag-2.7.7-150400.1.8 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94882	P	MozillaFirefox-91.8.0-150200.152.26.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95176	P	MozillaThunderbird-91.8.0-150200.8.65.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:111899	P	MozillaFirefox-92.0-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:111905	P	MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:99705	P	(Moderate)	2021-12-07
oval:org.opensuse.security:def:100014	P	(Important)	2021-11-11
oval:org.opensuse.security:def:1639	P	Security update for squid (Moderate)	2021-10-20
oval:org.opensuse.security:def:93106	P	(Important)	2021-10-15
oval:org.opensuse.security:def:105476	P	MozillaFirefox-92.0-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:105478	P	MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:101501	P	Security update for sssd (Important)	2021-09-03
oval:org.opensuse.security:def:93422	P	(Important)	2021-09-03
oval:org.opensuse.security:def:62728	P	MozillaFirefox-78.10.0-8.38.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101134	P	MozillaFirefox-78.10.0-8.38.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72447	P	MozillaFirefox-78.10.0-8.38.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:93259	P	(Moderate)	2021-07-20
oval:org.opensuse.security:def:99115	P	(Important)	2021-06-18
oval:org.opensuse.security:def:5781	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:102042	P	Security update for java-11-openjdk (Important)	2021-05-11
oval:org.opensuse.security:def:74300	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:97164	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:102986	P	Security update for MozillaThunderbird (Important)	2021-02-01
oval:org.opensuse.security:def:108167	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:10652	P	Security update for MozillaThunderbird (Important)	2021-02-01
oval:org.opensuse.security:def:110662	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:117681	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:4143	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:119792	P	Security update for MozillaThunderbird (Important)	2021-02-01
oval:org.opensuse.security:def:109652	P	Security update for MozillaThunderbird (Important)	2021-02-01
oval:org.opensuse.security:def:111201	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:97162	P	Security update for MozillaThunderbird (Important)	2021-02-01
oval:org.opensuse.security:def:96314	P	Security update for MozillaThunderbird (Important)	2021-02-01
oval:org.opensuse.security:def:70792	P	Security update for MozillaThunderbird (Important)	2021-02-01
oval:org.opensuse.security:def:65232	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:111199	P	Security update for MozillaThunderbird (Important)	2021-01-30
oval:org.opensuse.security:def:110661	P	Security update for MozillaThunderbird (Important)	2021-01-30
oval:org.opensuse.security:def:38654	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:92165	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:99913	P	Security update for MozillaThunderbird (Important)	2021-01-29
oval:org.opensuse.security:def:9557	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:69896	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:97578	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:60311	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:86119	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:31222	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:55834	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:81091	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:5078	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:23161	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:44374	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:92953	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:90613	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:99307	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:66491	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:88472	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:97159	P	Security update for MozillaThunderbird (Important)	2021-01-29
oval:org.opensuse.security:def:33686	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:58787	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:84179	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:126740	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:28923	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:51926	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:39944	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:75559	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:92357	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:9756	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:70447	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:98163	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:4069	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:86605	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:31655	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:57045	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:82130	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:23622	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:45584	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:108708	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:91198	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:99506	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:8809	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:66870	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:89164	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:97160	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:33944	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:59509	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:84638	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:127137	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:29399	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:54746	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:41154	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:75938	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:92556	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:104268	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:10307	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:70739	P	Security update for MozillaThunderbird (Important)	2021-01-29
oval:org.opensuse.security:def:98920	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:65158	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:87428	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:32141	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:57478	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:82606	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:23938	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:51149	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:74226	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:91970	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:9004	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:69697	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:89422	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:34488	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:59767	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:85686	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:30011	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:55222	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:21401	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:43084	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:92755	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:104853	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:10599	P	Security update for MozillaThunderbird (Important)	2021-01-29
oval:org.opensuse.security:def:5402	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:88158	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:32964	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:57964	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:83218	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:125571	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:26091	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:51610	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:com.redhat.rhsa:def:20210290	P	RHSA-2021:0290: firefox security update (Important)	2021-01-28
oval:com.redhat.rhsa:def:20210297	P	RHSA-2021:0297: thunderbird security update (Important)	2021-01-28
oval:com.redhat.rhsa:def:20210298	P	RHSA-2021:0298: thunderbird security update (Important)	2021-01-28
oval:com.redhat.rhsa:def:20210288	P	RHSA-2021:0288: firefox security update (Important)	2021-01-27

BACK