CVE-2020-6811: 
NixOS vulnerability analysis and mitigation

CVE-2020-6811 is a security vulnerability discovered in Mozilla Firefox's DevTools 'Copy as cURL' feature. The vulnerability was disclosed on March 10, 2020, affecting multiple Mozilla products including Firefox < 74, Firefox ESR < 68.6, and Thunderbird < 68.6. The issue stems from improper escaping of HTTP method requests in the network tab's 'Copy as cURL' functionality (Mozilla Advisory).

The vulnerability occurs when the DevTools' network tab's 'Copy as cURL' feature fails to properly escape the HTTP method of a request, which can be controlled by a website. The issue specifically arises from the lack of proper escaping in the command generation process, allowing for potential command injection. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary commands on the user's system through command injection. The attack requires user interaction, specifically when a user copies a malicious request using the 'Copy as cURL' feature and pastes it into their terminal. This could lead to arbitrary command execution with the privileges of the user running the terminal (Mozilla Advisory).

The vulnerability has been patched in Firefox 74, Firefox ESR 68.6, and Thunderbird 68.6. Users are advised to update their software to these versions or later. Ubuntu users can update to thunderbird version 1:68.7.0+build1-0ubuntu0.19.10.1 for Ubuntu 19.10 and 1:68.7.0+build1-0ubuntu0.18.04.1 for Ubuntu 18.04 (Ubuntu Advisory).