CVE-2008-2785

Current Description

Mozilla Firefox before 2.0.0.16 and 3.x before 3.0.1, Thunderbird before 2.0.0.16, and SeaMonkey before 1.1.11 use an incorrect integer data type as a CSS object reference counter in the CSSValue array (aka nsCSSValue:Array) data structure, which allows remote attackers to execute arbitrary code via a large number of references to a common CSS object, leading to a counter overflow and a free of in-use memory, aka ZDI-CAN-349.

Referenced by CVEs:CVE-2008-2786

Basic Data

PublishedJune 19, 2008
Last ModifiedOctober 11, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-189
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score9.3
SeverityHIGH
Exploitability Score8.6
Impact Score10.0
Obtain All Privilegetrue
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationMozillaFirefox2.0*******
    2.3ApplicationMozillaFirefox2.0.0.1*******
    2.3ApplicationMozillaFirefox2.0.0.2*******
    2.3ApplicationMozillaFirefox2.0.0.3*******
    2.3ApplicationMozillaFirefox2.0.0.4*******
    2.3ApplicationMozillaFirefox2.0.0.5*******
    2.3ApplicationMozillaFirefox2.0.0.6*******
    2.3ApplicationMozillaFirefox2.0.0.7*******
    2.3ApplicationMozillaFirefox2.0.0.8*******
    2.3ApplicationMozillaFirefox2.0.0.9*******
    2.3ApplicationMozillaFirefox2.0.0.10*******
    2.3ApplicationMozillaFirefox2.0.0.11*******
    2.3ApplicationMozillaFirefox2.0.0.12*******
    2.3ApplicationMozillaFirefox2.0.0.13*******
    2.3ApplicationMozillaFirefox2.0.0.14*******
    2.3ApplicationMozillaFirefox********2.0.0.15
    2.3ApplicationMozillaFirefox3.0*******
    2.3ApplicationMozillaSeamonkey1.0*******
    2.3ApplicationMozillaSeamonkey1.0alpha******
    2.3ApplicationMozillaSeamonkey1.0beta******
    2.3ApplicationMozillaSeamonkey1.0.1*******
    2.3ApplicationMozillaSeamonkey1.0.2*******
    2.3ApplicationMozillaSeamonkey1.0.3*******
    2.3ApplicationMozillaSeamonkey1.0.4*******
    2.3ApplicationMozillaSeamonkey1.0.5*******
    2.3ApplicationMozillaSeamonkey1.0.6*******
    2.3ApplicationMozillaSeamonkey1.0.7*******
    2.3ApplicationMozillaSeamonkey1.0.8*******
    2.3ApplicationMozillaSeamonkey1.0.9*******
    2.3ApplicationMozillaSeamonkey1.1*******
    2.3ApplicationMozillaSeamonkey1.1alpha******
    2.3ApplicationMozillaSeamonkey1.1beta******
    2.3ApplicationMozillaSeamonkey1.1.1*******
    2.3ApplicationMozillaSeamonkey1.1.2*******
    2.3ApplicationMozillaSeamonkey1.1.3*******
    2.3ApplicationMozillaSeamonkey1.1.4*******
    2.3ApplicationMozillaSeamonkey1.1.5*******
    2.3ApplicationMozillaSeamonkey1.1.6*******
    2.3ApplicationMozillaSeamonkey1.1.7*******
    2.3ApplicationMozillaSeamonkey1.1.8*******
    2.3ApplicationMozillaSeamonkey1.1.9*******
    2.3ApplicationMozillaSeamonkey********1.1.10
    2.3ApplicationMozillaThunderbird0.1*******
    2.3ApplicationMozillaThunderbird0.2*******
    2.3ApplicationMozillaThunderbird0.3*******
    2.3ApplicationMozillaThunderbird0.4*******
    2.3ApplicationMozillaThunderbird0.5*******
    2.3ApplicationMozillaThunderbird0.6*******
    2.3ApplicationMozillaThunderbird0.7*******
    2.3ApplicationMozillaThunderbird0.8*******
    2.3ApplicationMozillaThunderbird0.9*******
    2.3ApplicationMozillaThunderbird1.0*******
    2.3ApplicationMozillaThunderbird1.0.2*******
    2.3ApplicationMozillaThunderbird1.0.5*******
    2.3ApplicationMozillaThunderbird1.0.6*******
    2.3ApplicationMozillaThunderbird1.0.7*******
    2.3ApplicationMozillaThunderbird1.0.8*******
    2.3ApplicationMozillaThunderbird1.5*******
    2.3ApplicationMozillaThunderbird1.5.0.2*******
    2.3ApplicationMozillaThunderbird1.5.0.4*******
    2.3ApplicationMozillaThunderbird1.5.0.5*******
    2.3ApplicationMozillaThunderbird1.5.0.7*******
    2.3ApplicationMozillaThunderbird1.5.0.8*******
    2.3ApplicationMozillaThunderbird1.5.0.9*******
    2.3ApplicationMozillaThunderbird1.5.0.10*******
    2.3ApplicationMozillaThunderbird1.5.0.12*******
    2.3ApplicationMozillaThunderbird1.5.0.13*******
    2.3ApplicationMozillaThunderbird1.5.0.14*******
    2.3ApplicationMozillaThunderbird2.0.0.0*******
    2.3ApplicationMozillaThunderbird2.0.0.4*******
    2.3ApplicationMozillaThunderbird2.0.0.5*******
    2.3ApplicationMozillaThunderbird2.0.0.6*******
    2.3ApplicationMozillaThunderbird2.0.0.9*******
    2.3ApplicationMozillaThunderbird2.0.0.12*******
    2.3ApplicationMozillaThunderbird********2.0.0.14

Vulnerable Software List

VendorProductVersions
Mozilla Firefox *, 2.0, 2.0.0.1, 2.0.0.10, 2.0.0.11, 2.0.0.12, 2.0.0.13, 2.0.0.14, 2.0.0.2, 2.0.0.3, 2.0.0.4, 2.0.0.5, 2.0.0.6, 2.0.0.7, 2.0.0.8, 2.0.0.9, 3.0
Mozilla Thunderbird *, 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 1.0, 1.0.2, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.5, 1.5.0.10, 1.5.0.12, 1.5.0.13, 1.5.0.14, 1.5.0.2, 1.5.0.4, 1.5.0.5, 1.5.0.7, 1.5.0.8, 1.5.0.9, 2.0.0.0, 2.0.0.12, 2.0.0.4, 2.0.0.5, 2.0.0.6, 2.0.0.9
Mozilla Seamonkey *, 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9

References

NameSourceURLTags
http://blog.mozilla.com/security/2008/06/18/new-security-issue-under-investigation/http://blog.mozilla.com/security/2008/06/18/new-security-issue-under-investigation/MISC
http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30MISC
RHSA-2008:0616http://rhn.redhat.com/errata/RHSA-2008-0616.htmlREDHAT
30761http://secunia.com/advisories/30761SECUNIAVendor Advisory
31121http://secunia.com/advisories/31121SECUNIA
31122http://secunia.com/advisories/31122SECUNIAVendor Advisory
31129http://secunia.com/advisories/31129SECUNIAVendor Advisory
31144http://secunia.com/advisories/31144SECUNIA
31145http://secunia.com/advisories/31145SECUNIAVendor Advisory
31154http://secunia.com/advisories/31154SECUNIAVendor Advisory
31157http://secunia.com/advisories/31157SECUNIAVendor Advisory
31176http://secunia.com/advisories/31176SECUNIAVendor Advisory
31183http://secunia.com/advisories/31183SECUNIAVendor Advisory
31195http://secunia.com/advisories/31195SECUNIAVendor Advisory
31220http://secunia.com/advisories/31220SECUNIAVendor Advisory
31253http://secunia.com/advisories/31253SECUNIAVendor Advisory
31261http://secunia.com/advisories/31261SECUNIAVendor Advisory
31270http://secunia.com/advisories/31270SECUNIAVendor Advisory
31286http://secunia.com/advisories/31286SECUNIAVendor Advisory
31306http://secunia.com/advisories/31306SECUNIAVendor Advisory
31377http://secunia.com/advisories/31377SECUNIAVendor Advisory
31403http://secunia.com/advisories/31403SECUNIAVendor Advisory
33433http://secunia.com/advisories/33433SECUNIA
34501http://secunia.com/advisories/34501SECUNIA
GLSA-200808-03http://security.gentoo.org/glsa/glsa-200808-03.xmlGENTOO
SSA:2008-210-05http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.410484SLACKWARE
256408http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1SUNALERT
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0238http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0238CONFIRM
DSA-1614http://www.debian.org/security/2008/dsa-1614DEBIAN
DSA-1615http://www.debian.org/security/2008/dsa-1615DEBIAN
DSA-1621http://www.debian.org/security/2008/dsa-1621DEBIAN
DSA-1697http://www.debian.org/security/2009/dsa-1697DEBIAN
MDVSA-2008:148http://www.mandriva.com/security/advisories?name=MDVSA-2008:148MANDRIVA
MDVSA-2008:155http://www.mandriva.com/security/advisories?name=MDVSA-2008:155MANDRIVA
http://www.mozilla.org/security/announce/2008/mfsa2008-34.htmlhttp://www.mozilla.org/security/announce/2008/mfsa2008-34.htmlCONFIRMPATCH Vendor Advisory
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=InfoDocument-patchbuilder-readme5031400http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=InfoDocument-patchbuildeCONFIRM
RHSA-2008:0597http://www.redhat.com/support/errata/RHSA-2008-0597.htmlREDHAT
RHSA-2008:0598http://www.redhat.com/support/errata/RHSA-2008-0598.htmlREDHAT
RHSA-2008:0599http://www.redhat.com/support/errata/RHSA-2008-0599.htmlREDHAT
20080717 ZDI-08-044: Mozilla Firefox CSSValue Array Memory Corruption Vulnerabilityhttp://www.securityfocus.com/archive/1/494504/100/0/threadedBUGTRAQ
20080729 rPSA-2008-0238-1 firefoxhttp://www.securityfocus.com/archive/1/494860/100/0/threadedBUGTRAQ
29802http://www.securityfocus.com/bid/29802BID
1020336http://www.securitytracker.com/id?1020336SECTRACK
SSA:2008-198-02http://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.380767SLACKWARE
SSA:2008-198-01http://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.380974SLACKWARE
USN-623-1http://www.ubuntu.com/usn/usn-623-1UBUNTU
USN-626-1http://www.ubuntu.com/usn/usn-626-1UBUNTU
USN-626-2http://www.ubuntu.com/usn/usn-626-2UBUNTU
USN-629-1http://www.ubuntu.com/usn/usn-629-1UBUNTU
ADV-2008-1873http://www.vupen.com/english/advisories/2008/1873VUPEN
ADV-2009-0977http://www.vupen.com/english/advisories/2009/0977VUPEN
http://www.zerodayinitiative.com/advisories/ZDI-08-044/http://www.zerodayinitiative.com/advisories/ZDI-08-044/MISC
https://bugzilla.mozilla.org/show_bug.cgi?id=440230https://bugzilla.mozilla.org/show_bug.cgi?id=440230CONFIRM
firefox-unspecified-code-execution(43167)https://exchange.xforce.ibmcloud.com/vulnerabilities/43167XF
https://issues.rpath.com/browse/RPL-2683https://issues.rpath.com/browse/RPL-2683CONFIRM
oval:org.mitre.oval:def:9900https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9900OVAL
FEDORA-2008-6737https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00125.htmlFEDORA
FEDORA-2008-6706https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00144.htmlFEDORA
FEDORA-2008-6517https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00667.htmlFEDORA
FEDORA-2008-6519https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00672.htmlFEDORA