National Vulnerability Database (NVD) National Vulnerability Database (CVE-2009-1835)

National Cyber-Alert System

Vulnerability Summary for CVE-2009-1835

Original release date:06/12/2009

Last revised:08/08/2009

Source: US-CERT/NIST

Overview

Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 associate local documents with external domain names located after the file:// substring in a URL, which allows user-assisted remote attackers to read arbitrary cookies via a crafted HTML document, as demonstrated by a URL with file://example.com/C:/ at the beginning.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: REDHAT

Name: RHSA-2009:1095

Type: Patch Information

Hyperlink:https://rhn.redhat.com/errata/RHSA-2009-1095.html

External Source: VUPEN

Name: ADV-2009-1572

Type: Advisory; Patch Information

Hyperlink:http://www.vupen.com/english/advisories/2009/1572

External Source: REDHAT

Name: RHSA-2009:1096

Type: Patch Information

Hyperlink:http://rhn.redhat.com/errata/RHSA-2009-1096.html

External Source: FEDORA

Name: FEDORA-2009-6411

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00657.html

External Source: FEDORA

Name: FEDORA-2009-6366

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00574.html

External Source: FEDORA

Name: FEDORA-2009-7614

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00504.html

External Source: FEDORA

Name: FEDORA-2009-7567

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00444.html

External Source: CONFIRM

Name: https://bugzilla.redhat.com/show_bug.cgi?id=503576

Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=503576

External Source: CONFIRM

Name: https://bugzilla.mozilla.org/show_bug.cgi?id=491801

Hyperlink:https://bugzilla.mozilla.org/show_bug.cgi?id=491801

External Source: VUPEN

Name: ADV-2009-2152

Hyperlink:http://www.vupen.com/english/advisories/2009/2152

External Source: BID

Name: 35391

Hyperlink:http://www.securityfocus.com/bid/35391

External Source: BID

Name: 35326

Hyperlink:http://www.securityfocus.com/bid/35326

External Source: CONFIRM

Name: http://www.mozilla.org/security/announce/2009/mfsa2009-26.html

Type: Advisory

Hyperlink:http://www.mozilla.org/security/announce/2009/mfsa2009-26.html

External Source: DEBIAN

Name: DSA-1820

Hyperlink:http://www.debian.org/security/2009/dsa-1820

External Source: SUNALERT

Name: 265068

Hyperlink:http://sunsolve.sun.com/search/document.do?assetkey=1-26-265068-1

External Source: SLACKWARE

Name: SSA:2009-176-01

Hyperlink:http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.425408

External Source: SLACKWARE

Name: SSA:2009-167-01

Hyperlink:http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.372468

External Source: SECUNIA

Name: 35882

Hyperlink:http://secunia.com/advisories/35882

External Source: SECUNIA

Name: 35561

Hyperlink:http://secunia.com/advisories/35561

External Source: SECUNIA

Name: 35468

Hyperlink:http://secunia.com/advisories/35468

External Source: SECUNIA

Name: 35439

Type: Advisory

Hyperlink:http://secunia.com/advisories/35439

External Source: SECUNIA

Name: 35431

Type: Advisory

Hyperlink:http://secunia.com/advisories/35431

External Source: SECUNIA

Name: 35428

Type: Advisory

Hyperlink:http://secunia.com/advisories/35428

External Source: SECUNIA

Name: 35415

Hyperlink:http://secunia.com/advisories/35415

External Source: SECUNIA

Name: 35331

Type: Advisory

Hyperlink:http://secunia.com/advisories/35331

External Source: OSVDB

Name: 55161

Hyperlink:http://osvdb.org/55161

Vulnerable software and versions

Configuration 1

* cpe:/a:mozilla:firefox:3.0

* cpe:/a:mozilla:firefox:3.0.1

* cpe:/a:mozilla:firefox:3.0.2

* cpe:/a:mozilla:firefox:3.0.3

* cpe:/a:mozilla:firefox:3.0.4

* cpe:/a:mozilla:firefox:3.0.5

* cpe:/a:mozilla:firefox:3.0.6

* cpe:/a:mozilla:firefox:3.0.7

* cpe:/a:mozilla:firefox:3.0.8

* cpe:/a:mozilla:firefox:3.0:alpha

* cpe:/a:mozilla:firefox:3.0:beta2

* cpe:/a:mozilla:firefox:3.0.9

* cpe:/a:mozilla:seamonkey:1.0

* cpe:/a:mozilla:seamonkey:1.0.1

* cpe:/a:mozilla:seamonkey:1.0.3

* cpe:/a:mozilla:seamonkey:1.0.4

* cpe:/a:mozilla:seamonkey:1.0.6

* cpe:/a:mozilla:seamonkey:1.0.8

* cpe:/a:mozilla:seamonkey:1.0.9

* cpe:/a:mozilla:seamonkey:1.1.10

* cpe:/a:mozilla:seamonkey:1.0:beta

* cpe:/a:mozilla:seamonkey:1.0::alpha

* cpe:/a:mozilla:seamonkey:1.0::beta

* cpe:/a:mozilla:seamonkey:1.1

* cpe:/a:mozilla:seamonkey:1.1.1

* cpe:/a:mozilla:seamonkey:1.0:alpha

* cpe:/a:mozilla:seamonkey:1.0::dev

* cpe:/a:mozilla:seamonkey:1.0.99

* cpe:/a:mozilla:seamonkey:1.1.11

* cpe:/a:mozilla:seamonkey:1.1.12

* cpe:/a:mozilla:seamonkey:1.1.13

* cpe:/a:mozilla:seamonkey:1.1.15

* cpe:/a:mozilla:seamonkey:1.1.3

* cpe:/a:mozilla:seamonkey:1.1.5

* cpe:/a:mozilla:seamonkey:1.1.6

* cpe:/a:mozilla:seamonkey:1.1.9

* cpe:/a:mozilla:seamonkey:1.1::alpha

* cpe:/a:mozilla:seamonkey:1.1:alpha

* cpe:/a:mozilla:seamonkey:1.1.5:1.1.10

* cpe:/a:mozilla:seamonkey:1.1::beta

* cpe:/a:mozilla:seamonkey:1.1.8

* cpe:/a:mozilla:seamonkey:1.1:beta

* cpe:/a:mozilla:seamonkey:1.1.7

* cpe:/a:mozilla:seamonkey:1.1.16 and previous versions

* cpe:/a:mozilla:firefox:0.1

* cpe:/a:mozilla:firefox:0.10

* cpe:/a:mozilla:firefox:0.10.1

* cpe:/a:mozilla:firefox:0.2

* cpe:/a:mozilla:firefox:0.3

* cpe:/a:mozilla:firefox:0.4

* cpe:/a:mozilla:firefox:0.5

* cpe:/a:mozilla:firefox:0.6

* cpe:/a:mozilla:firefox:0.6.1

* cpe:/a:mozilla:firefox:2.0.0.14

* cpe:/a:mozilla:firefox:2.0.0.12

* cpe:/a:mozilla:firefox:2.0.0.19

* cpe:/a:mozilla:firefox:0.8

* cpe:/a:mozilla:firefox:0.9.1

* cpe:/a:mozilla:firefox:0.9

* cpe:/a:mozilla:firefox:0.9.3

* cpe:/a:mozilla:firefox:2.0:beta_1

* cpe:/a:mozilla:firefox:0.9.2

* cpe:/a:mozilla:firefox:1.0.1

* cpe:/a:mozilla:firefox:1.0

* cpe:/a:mozilla:firefox:2.0.0.20

* cpe:/a:mozilla:firefox:0.9:rc

* cpe:/a:mozilla:firefox:1.0.3

* cpe:/a:mozilla:firefox:1.0.2

* cpe:/a:mozilla:firefox:1.0.5

* cpe:/a:mozilla:firefox:1.0.4

* cpe:/a:mozilla:firefox:1.0.7

* cpe:/a:mozilla:firefox:1.0.6

* cpe:/a:mozilla:firefox:1.5

* cpe:/a:mozilla:firefox:2.0.0.9

* cpe:/a:mozilla:firefox:1.0.8

* cpe:/a:mozilla:firefox:2.0_.1

* cpe:/a:mozilla:firefox:2.0_.10

* cpe:/a:mozilla:firefox:2.0_.4

* cpe:/a:mozilla:firefox:2.0_.5

* cpe:/a:mozilla:firefox:2.0_.6

* cpe:/a:mozilla:firefox:2.0_.7

* cpe:/a:mozilla:firefox:2.0_.9

* cpe:/a:mozilla:firefox:2.0_8

* cpe:/a:mozilla:firefox:2.0.0.21

* cpe:/a:mozilla:firefox:2.0.0.10

* cpe:/a:mozilla:firefox:2.0.0.17

* cpe:/a:mozilla:firefox:2.0.0.11

* cpe:/a:mozilla:firefox:2.0.0.16

* cpe:/a:mozilla:firefox:1.4.1

* cpe:/a:mozilla:firefox:2.0.0.15

* cpe:/a:mozilla:firefox:0.7

* cpe:/a:mozilla:firefox:0.7.1

* cpe:/a:mozilla:firefox:1.0:preview_release

* cpe:/a:mozilla:firefox:1.5.0.4

* cpe:/a:mozilla:firefox:1.5.0.5

* cpe:/a:mozilla:firefox:1.5.0.2

* cpe:/a:mozilla:firefox:1.5.0.3

* cpe:/a:mozilla:firefox:1.5.0.11

* cpe:/a:mozilla:firefox:1.5.0.12

* cpe:/a:mozilla:firefox:2.0.0.7

* cpe:/a:mozilla:firefox:1.5.0.1

* cpe:/a:mozilla:firefox:1.5.0.10

* cpe:/a:mozilla:firefox:1.5.3

* cpe:/a:mozilla:firefox:1.5.4

* cpe:/a:mozilla:firefox:1.5.1

* cpe:/a:mozilla:firefox:1.5.2

* cpe:/a:mozilla:firefox:1.5.0.8

* cpe:/a:mozilla:firefox:1.5.0.9

* cpe:/a:mozilla:firefox:1.5.0.6

* cpe:/a:mozilla:firefox:1.5.0.7

* cpe:/a:mozilla:firefox:1.5:beta2

* cpe:/a:mozilla:firefox:2.0:beta1

* cpe:/a:mozilla:firefox:2.0

* cpe:/a:mozilla:firefox:1.8

* cpe:/a:mozilla:firefox:1.5.8

* cpe:/a:mozilla:firefox:1.5.7

* cpe:/a:mozilla:firefox:1.5.6

* cpe:/a:mozilla:firefox:1.5.5

* cpe:/a:mozilla:firefox:2.0.0.6

* cpe:/a:mozilla:firefox:2.0.0.5

* cpe:/a:mozilla:firefox:2.0.0.4

* cpe:/a:mozilla:firefox:0.9_rc

* cpe:/a:mozilla:firefox:2.0.0.3

* cpe:/a:mozilla:firefox:2.0.0.2

* cpe:/a:mozilla:firefox:2.0.0.1

* cpe:/a:mozilla:firefox:2.0:rc3

* cpe:/a:mozilla:firefox:2.0:rc2

* cpe:/a:mozilla:firefox:2.0.0.8

* cpe:/a:mozilla:firefox:2.0.0.13

* cpe:/a:mozilla:firefox:1.0.6::linux

* cpe:/a:mozilla:firefox:1.5:beta1

* cpe:/a:mozilla:firefox:2.0.0.18

* cpe:/a:mozilla:firefox:3.0:beta5

* cpe:/a:mozilla:firefox:3.0.10 and previous versions

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Information Leak / Disclosure (CWE-200)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1835