CVE-2020-6805: 
NixOS vulnerability analysis and mitigation

CVE-2020-6805 is a use-after-free vulnerability discovered in Mozilla products that affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. The vulnerability was discovered by Brian Carpenter and disclosed in March 2020. The issue occurs when removing data about an origin whose tab was recently closed, where a use-after-free condition could occur in the Quota manager (Mozilla Advisory, NVD).

The vulnerability is caused by a heap-use-after-free condition that occurs in the Quota manager component, specifically in the mozilla::dom::quota::QuotaObject::LockedMaybeUpdateSize function. The issue has a CVSS v3.1 base score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-416 (Use After Free) (NVD).

This vulnerability results in a potentially exploitable crash that could lead to arbitrary code execution. The high severity rating indicates that successful exploitation could result in significant impact on confidentiality, integrity, and availability of the affected system (Mozilla Advisory).

The vulnerability was fixed in Firefox 74, Firefox ESR 68.6, and Thunderbird 68.6. Users should update their software to these versions or later to mitigate the vulnerability. For Thunderbird specifically, it's noted that the flaw cannot be exploited through email alone since scripting is disabled when reading mail, but remains a potential risk in browser or browser-like contexts (Mozilla Advisory).