CVE-2004-0903

Current Description

Stack-based buffer overflow in the writeGroup function in nsVCardObj.cpp for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows remote attackers to execute arbitrary code via malformed VCard attachments that are not properly handled when previewing a message.

Basic Data

PublishedJanuary 27, 2005
Last ModifiedOctober 11, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-Other
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score10.0
SeverityHIGH
Exploitability Score10.0
Impact Score10.0
Obtain All Privilegetrue
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationMozillaMozilla1.7*******
    2.3ApplicationMozillaMozilla1.7.1*******
    2.3ApplicationMozillaMozilla1.7.2*******
    2.3ApplicationMozillaThunderbird0.7*******
    2.3ApplicationMozillaThunderbird0.7.1*******
    2.3ApplicationMozillaThunderbird0.7.2*******
    2.3ApplicationMozillaThunderbird0.7.3*******
    2.3OSConectivaLinux9.0*******
    2.3OSConectivaLinux10.0*******
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSRedhatEnterprise Linux2.1*advanced_server*****
    2.3OSRedhatEnterprise Linux2.1*advanced_server_ia64*****
    2.3OSRedhatEnterprise Linux2.1*enterprise_server*****
    2.3OSRedhatEnterprise Linux2.1*enterprise_server_ia64*****
    2.3OSRedhatEnterprise Linux2.1*workstation*****
    2.3OSRedhatEnterprise Linux2.1*workstation_ia64*****
    2.3OSRedhatEnterprise Linux3.0*advanced_server*****
    2.3OSRedhatEnterprise Linux3.0*enterprise_server*****
    2.3OSRedhatEnterprise Linux3.0*workstation_server*****
    2.3OSRedhatEnterprise Linux Desktop3.0*******
    2.3OSRedhatFedora Corecore_1.0*******
    2.3OSRedhatLinux7.3*******
    2.3OSRedhatLinux7.3*i386*****
    2.3OSRedhatLinux7.3*i686*****
    2.3OSRedhatLinux9.0*i386*****
    2.3OSRedhatLinux Advanced Workstation2.1*ia64*****
    2.3OSRedhatLinux Advanced Workstation2.1*itanium_processor*****
    2.3OSSuseSuse Linux1.0*desktop*****
    2.3OSSuseSuse Linux8*enterprise_server*****
    2.3OSSuseSuse Linux8.1*******
    2.3OSSuseSuse Linux8.2*******
    2.3OSSuseSuse Linux9.0*******
    2.3OSSuseSuse Linux9.0*enterprise_server*****
    2.3OSSuseSuse Linux9.0*x86_64*****
    2.3OSSuseSuse Linux9.1*******

Vulnerable Software List

VendorProductVersions
Mozilla Thunderbird 0.7, 0.7.1, 0.7.2, 0.7.3
Mozilla Mozilla 1.7, 1.7.1, 1.7.2
Redhat Enterprise Linux 2.1, 3.0
Redhat Enterprise Linux Desktop 3.0
Redhat Linux 7.3, 9.0
Redhat Fedora Core core_1.0
Redhat Linux Advanced Workstation 2.1
Conectiva Linux 10.0, 9.0
Suse Suse Linux 1.0, 8, 8.1, 8.2, 9.0, 9.1

References

NameSourceURLTags
http://bugzilla.mozilla.org/show_bug.cgi?id=257314http://bugzilla.mozilla.org/show_bug.cgi?id=257314CONFIRMVendor Advisory
SSRT4826http://marc.info/?l=bugtraq&m=109698896104418&w=2HP
FLSA:2089http://marc.info/?l=bugtraq&m=109900315219363&w=2FEDORA
GLSA-200409-26http://security.gentoo.org/glsa/glsa-200409-26.xmlGENTOO
VU#414240http://www.kb.cert.org/vuls/id/414240CERT-VNThird Party Advisory US Government Resource
http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3CONFIRM
SUSE-SA:2004:036http://www.novell.com/linux/security/advisories/2004_36_mozilla.htmlSUSE
11174http://www.securityfocus.com/bid/11174BIDVendor Advisory
TA04-261Ahttp://www.us-cert.gov/cas/techalerts/TA04-261A.htmlCERTUS Government Resource
mozilla-netscape-nsvcardobj-bo(17380)https://exchange.xforce.ibmcloud.com/vulnerabilities/17380XF
oval:org.mitre.oval:def:10873https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10873OVAL