National Vulnerability Database (NVD) National Vulnerability Database (CVE-2008-4069)

National Cyber-Alert System

Vulnerability Summary for CVE-2008-4069

Original release date:09/24/2008

Last revised:04/16/2009

Source: US-CERT/NIST

Overview

The XBM decoder in Mozilla Firefox before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to read uninitialized memory, and possibly obtain sensitive information in opportunistic circumstances, via a crafted XBM image file.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: FEDORA

Name: FEDORA-2008-8429

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01403.html

External Source: FEDORA

Name: FEDORA-2008-8401

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01384.html

External Source: CONFIRM

Name: https://bugzilla.mozilla.org/show_bug.cgi?id=449703

Hyperlink:https://bugzilla.mozilla.org/show_bug.cgi?id=449703

External Source: XF

Name: firefox-xbmdecoder-information-disclosure(45361)

Hyperlink:http://xforce.iss.net/xforce/xfdb/45361

External Source: VUPEN

Name: ADV-2009-0977

Hyperlink:http://www.vupen.com/english/advisories/2009/0977

External Source: UBUNTU

Name: USN-645-2

Hyperlink:http://www.ubuntu.com/usn/usn-645-2

External Source: UBUNTU

Name: USN-645-1

Hyperlink:http://www.ubuntu.com/usn/usn-645-1

External Source: SECTRACK

Name: 1020923

Hyperlink:http://www.securitytracker.com/id?1020923

External Source: BID

Name: 31346

Hyperlink:http://www.securityfocus.com/bid/31346

External Source: REDHAT

Name: RHSA-2008:0882

Hyperlink:http://www.redhat.com/support/errata/RHSA-2008-0882.html

External Source: CONFIRM

Name: http://www.mozilla.org/security/announce/2008/mfsa2008-45.html

Hyperlink:http://www.mozilla.org/security/announce/2008/mfsa2008-45.html

External Source: MANDRIVA

Name: MDVSA-2008:205

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2008:205

External Source: VUPEN

Name: ADV-2008-2661

Hyperlink:http://www.frsirt.com/english/advisories/2008/2661

External Source: DEBIAN

Name: DSA-1697

Hyperlink:http://www.debian.org/security/2009/dsa-1697

External Source: DEBIAN

Name: DSA-1669

Hyperlink:http://www.debian.org/security/2008/dsa-1669

External Source: MISC

Name: http://www.blackhat.com/presentations/bh-usa-08/Hoffman/Hoffman-BH2008-CircumventingJavaScript.ppt

Hyperlink:http://www.blackhat.com/presentations/bh-usa-08/Hoffman/Hoffman-BH2008-CircumventingJavaScript.ppt

External Source: SUNALERT

Name: 256408

Hyperlink:http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1

External Source: SLACKWARE

Name: SSA:2008-269-01

Hyperlink:http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.405232

External Source: SLACKWARE

Name: SSA:2008-269-02

Hyperlink:http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.379422

External Source: SECUNIA

Name: 34501

Hyperlink:http://secunia.com/advisories/34501

External Source: SECUNIA

Name: 33433

Hyperlink:http://secunia.com/advisories/33433

External Source: SECUNIA

Name: 32845

Hyperlink:http://secunia.com/advisories/32845

External Source: SECUNIA

Name: 32144

Hyperlink:http://secunia.com/advisories/32144

External Source: SECUNIA

Name: 32044

Hyperlink:http://secunia.com/advisories/32044

External Source: SECUNIA

Name: 32042

Hyperlink:http://secunia.com/advisories/32042

External Source: SECUNIA

Name: 32012

Hyperlink:http://secunia.com/advisories/32012

External Source: SECUNIA

Name: 32010

Hyperlink:http://secunia.com/advisories/32010

External Source: SECUNIA

Name: 31985

Hyperlink:http://secunia.com/advisories/31985

External Source: SECUNIA

Name: 31984

Hyperlink:http://secunia.com/advisories/31984

External Source: SUSE

Name: SUSE-SA:2008:050

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00005.html

External Source: CONFIRM

Name: http://download.novell.com/Download?buildid=WZXONb-tqBw~

Hyperlink:http://download.novell.com/Download?buildid=WZXONb-tqBw~

Vulnerable software and versions

Configuration 1

* cpe:/a:mozilla:firefox:0.8

* cpe:/a:mozilla:firefox:0.10.1

* cpe:/a:mozilla:firefox:0.9.1

* cpe:/a:mozilla:firefox:0.9

* cpe:/a:mozilla:firefox:0.9.3

* cpe:/a:mozilla:firefox:0.9.2

* cpe:/a:mozilla:firefox:0.9:rc

* cpe:/a:mozilla:firefox:0.9_rc

* cpe:/a:mozilla:firefox:0.10

* cpe:/a:mozilla:firefox:1.0.1

* cpe:/a:mozilla:firefox:1.0

* cpe:/a:mozilla:firefox:1.0.3

* cpe:/a:mozilla:firefox:1.0.2

* cpe:/a:mozilla:firefox:1.0.5

* cpe:/a:mozilla:firefox:1.0.4

* cpe:/a:mozilla:firefox:1.0.7

* cpe:/a:mozilla:firefox:1.0.6

* cpe:/a:mozilla:firefox:1.0.8

* cpe:/a:mozilla:firefox:1.5.0.4

* cpe:/a:mozilla:firefox:1.5.0.5

* cpe:/a:mozilla:firefox:1.5.0.2

* cpe:/a:mozilla:firefox:1.5.0.3

* cpe:/a:mozilla:firefox:1.5.0.11

* cpe:/a:mozilla:firefox:1.5.0.12

* cpe:/a:mozilla:firefox:1.5.0.1

* cpe:/a:mozilla:firefox:1.5.0.10

* cpe:/a:mozilla:firefox:1.5

* cpe:/a:mozilla:firefox:1.5.0.6

* cpe:/a:mozilla:firefox:1.5.7

* cpe:/a:mozilla:firefox:1.5.6

* cpe:/a:mozilla:firefox:1.5.5

* cpe:/a:mozilla:firefox:1.5.3

* cpe:/a:mozilla:firefox:1.5.4

* cpe:/a:mozilla:firefox:1.5.1

* cpe:/a:mozilla:firefox:1.5.2

* cpe:/a:mozilla:firefox:1.5.0.8

* cpe:/a:mozilla:firefox:1.5.0.9

* cpe:/a:mozilla:firefox:1.5.0.7

* cpe:/a:mozilla:firefox:1.5:beta2

* cpe:/a:mozilla:firefox:2.0

* cpe:/a:mozilla:firefox:1.8

* cpe:/a:mozilla:firefox:1.5.8

* cpe:/a:mozilla:firefox:2.0.0.12

* cpe:/a:mozilla:firefox:1.5:beta1

* cpe:/a:mozilla:firefox:2.0.0.10

* cpe:/a:mozilla:firefox:2.0.0.13

* cpe:/a:mozilla:firefox:2.0.0.1

* cpe:/a:mozilla:firefox:2.0.0.11

* cpe:/a:mozilla:firefox:2.0.0.14

* cpe:/a:mozilla:firefox:2.0.0.15

* cpe:/a:mozilla:firefox:2.0.0.16 and previous versions

* cpe:/a:mozilla:seamonkey

* cpe:/a:mozilla:seamonkey:1.0.8

* cpe:/a:mozilla:seamonkey:1.0.7

* cpe:/a:mozilla:seamonkey:1.0.6

* cpe:/a:mozilla:seamonkey:1.0.1

* cpe:/a:mozilla:seamonkey:1.0

* cpe:/a:mozilla:seamonkey:1.0.5

* cpe:/a:mozilla:seamonkey:1.0.4

* cpe:/a:mozilla:seamonkey:1.0.3

* cpe:/a:mozilla:seamonkey:1.0.2

* cpe:/a:mozilla:seamonkey:1.0.9

* cpe:/a:mozilla:seamonkey:1.0.99

* cpe:/a:mozilla:seamonkey:1.0::alpha

* cpe:/a:mozilla:seamonkey:1.0::dev

* cpe:/a:mozilla:seamonkey:1.0:beta

* cpe:/a:mozilla:seamonkey:1.1

* cpe:/a:mozilla:seamonkey:1.1.1

* cpe:/a:mozilla:seamonkey:1.1.10

* cpe:/a:mozilla:seamonkey:1.1.11 and previous versions

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Information Leak / Disclosure (CWE-200)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4069