Reported

August 18, 2020

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

mozwire (crates.io)

Type

Vulnerability

Keywords

#file-overwrite

Aliases

• CVE-2020-35883
• GHSA-4vhw-4rw7-jfpv

References

• https://github.com/NilsIrl/MozWire/issues/14

CVSS Score

9.1 CRITICAL

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Patched

• >0.4.1

Description

The client software downloaded a list of servers from mozilla's servers and created local files named after the hostname field in the json document.

No verification of the content of the string was made, and it could therefore have included '../' leading to path traversal.

This allows an attacker in control of mozilla's servers to overwrite/create local files named .conf.

The flaw was corrected by sanitizing the hostname field.

Advisory available under CC0-1.0 license.