National Vulnerability Database (NVD) National Vulnerability Database (CVE-2007-3845)

Mission and Overview

NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).

Resource Status

NVD contains:

CVE Vulnerabilities: 38426
Checklists: 128
US-CERT Alerts: 179
US-CERT Vuln Notes: 2345
OVAL Queries: 2517
CPE Names: 17819

Last updated: Tue Aug 25 06:41:40 EDT 2009

CVE Publication rate: 17.23

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index

Vulnerability Workload Index: 9.82

About Us

NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).

NIST Security Configuration Checklists - CSD

CVE

CCE - Common Configuration Enumeration

CVSS

XCCDF - security benchmark automation

OVAL

National Cyber-Alert System

Vulnerability Summary for CVE-2007-3845

Original release date:08/08/2007

Last revised:11/15/2008

Source: US-CERT/NIST

Overview

Mozilla Firefox before 2.0.0.6, Thunderbird before 1.5.0.13 and 2.x before 2.0.0.6, and SeaMonkey before 1.1.4 allow remote attackers to execute arbitrary commands via certain vectors associated with launching "a file handling program based on the file extension at the end of the URI," a variant of CVE-2007-4041. NOTE: the vendor states that "it is still possible to launch a filetype handler based on extension rather than the registered protocol handler."

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) (legend)

Impact Subscore: 10.0

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type:Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

Vendor Statments (disclaimer)

Official Statement from Red Hat (10/10/2007): Not vulnerable. This issue does not affect the versions of Firefox or Thunderbird as shipped with Red Hat Enterprise Linux.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: BUGTRAQ

Name: 20070803 FLEA-2007-0040-1 thunderbird

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/475450/30/5550/threaded

External Source: CONFIRM

Name: http://www.mozilla.org/security/announce/2007/mfsa2007-27.html

Hyperlink:http://www.mozilla.org/security/announce/2007/mfsa2007-27.html

External Source: CONFIRM

Name: http://bugzilla.mozilla.org/show_bug.cgi?id=389580

Hyperlink:http://bugzilla.mozilla.org/show_bug.cgi?id=389580

External Source: CONFIRM

Name: https://issues.rpath.com/browse/RPL-1600

Hyperlink:https://issues.rpath.com/browse/RPL-1600

External Source: CONFIRM

Name: https://bugzilla.mozilla.org/show_bug.cgi?id=389106

Hyperlink:https://bugzilla.mozilla.org/show_bug.cgi?id=389106

External Source: UBUNTU

Name: USN-503-1

Hyperlink:http://www.ubuntu.com/usn/usn-503-1

External Source: UBUNTU

Name: USN-493-1

Hyperlink:http://www.ubuntu.com/usn/usn-493-1

External Source: BID

Name: 25053

Hyperlink:http://www.securityfocus.com/bid/25053

External Source: BUGTRAQ

Name: 20070801 FLEA-2007-0039-1 firefox

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/475265/100/200/threaded

External Source: MANDRIVA

Name: MDVSA-2008:047

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2008:047

External Source: MANDRIVA

Name: MDVSA-2007:047

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2007:047

External Source: MANDRIVA

Name: MDKSA-2007:152

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2007:152

External Source: VUPEN

Name: ADV-2008-0082

Hyperlink:http://www.frsirt.com/english/advisories/2008/0082

External Source: VUPEN

Name: ADV-2007-4256

Hyperlink:http://www.frsirt.com/english/advisories/2007/4256

External Source: DEBIAN

Name: DSA-1391

Hyperlink:http://www.debian.org/security/2007/dsa-1391

External Source: DEBIAN

Name: DSA-1346

Hyperlink:http://www.debian.org/security/2007/dsa-1346

External Source: DEBIAN

Name: DSA-1345

Hyperlink:http://www.debian.org/security/2007/dsa-1345

External Source: DEBIAN

Name: DSA-1344

Hyperlink:http://www.debian.org/security/2007/dsa-1344

External Source: SUNALERT

Name: 201516

Hyperlink:http://sunsolve.sun.com/search/document.do?assetkey=1-66-201516-1

External Source: SUNALERT

Name: 103177

Hyperlink:http://sunsolve.sun.com/search/document.do?assetkey=1-26-103177-1

External Source: SLACKWARE

Name: SSA:2007-213-01

Hyperlink:http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.010101

External Source: SECUNIA

Name: 28135

Hyperlink:http://secunia.com/advisories/28135

External Source: SECUNIA

Name: 27414

Hyperlink:http://secunia.com/advisories/27414

External Source: SECUNIA

Name: 27326

Hyperlink:http://secunia.com/advisories/27326

External Source: SECUNIA

Name: 26572

Hyperlink:http://secunia.com/advisories/26572

External Source: SECUNIA

Name: 26393

Hyperlink:http://secunia.com/advisories/26393

External Source: SECUNIA

Name: 26335

Hyperlink:http://secunia.com/advisories/26335

External Source: SECUNIA

Name: 26331

Hyperlink:http://secunia.com/advisories/26331

External Source: SECUNIA

Name: 26309

Hyperlink:http://secunia.com/advisories/26309

External Source: SECUNIA

Name: 26303

Hyperlink:http://secunia.com/advisories/26303

External Source: SECUNIA

Name: 26258

Hyperlink:http://secunia.com/advisories/26258

External Source: SECUNIA

Name: 26234

Hyperlink:http://secunia.com/advisories/26234

External Source: HP

Name: SSRT061236

Hyperlink:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579

External Source: HP

Name: HPSBUX02153

Hyperlink:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742

Vulnerable software and versions

Configuration 1

AND

OR

cpe:/o:microsoft:windows_xp

OR

* cpe:/a:mozilla:firefox:2.0.0.5

* cpe:/a:mozilla:seamonkey:1.1.3

* cpe:/a:mozilla:thunderbird:2.0.0.5

* Denotes Vulnerable Software

* Changes related to vulnerability configurations

Technical Details

Vulnerability Type (View All)

Insufficient Information (NVD-CWE-noinfo)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3845