CVE-2008-2801

Current Description

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly implement JAR signing, which allows remote attackers to execute arbitrary code via (1) injection of JavaScript into documents within a JAR archive or (2) a JAR archive that uses relative URLs to JavaScript files.

Referenced by CVEs:CVE-2011-2993

Basic Data

PublishedJuly 07, 2008
Last ModifiedOctober 11, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-287
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score7.5
SeverityHIGH
Exploitability Score10.0
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationMozillaFirefox2.0*******
    2.3ApplicationMozillaFirefox2.0.0.1*******
    2.3ApplicationMozillaFirefox2.0.0.2*******
    2.3ApplicationMozillaFirefox2.0.0.3*******
    2.3ApplicationMozillaFirefox2.0.0.4*******
    2.3ApplicationMozillaFirefox2.0.0.5*******
    2.3ApplicationMozillaFirefox2.0.0.6*******
    2.3ApplicationMozillaFirefox2.0.0.7*******
    2.3ApplicationMozillaFirefox2.0.0.8*******
    2.3ApplicationMozillaFirefox2.0.0.9*******
    2.3ApplicationMozillaFirefox2.0.0.10*******
    2.3ApplicationMozillaFirefox2.0.0.11*******
    2.3ApplicationMozillaFirefox2.0.0.12*******
    2.3ApplicationMozillaFirefox2.0.0.13*******
    2.3ApplicationMozillaFirefox********2.0.0.14
    2.3ApplicationMozillaSeamonkey1.1*******
    2.3ApplicationMozillaSeamonkey1.1.2*******
    2.3ApplicationMozillaSeamonkey1.1.3*******
    2.3ApplicationMozillaSeamonkey1.1.4*******
    2.3ApplicationMozillaSeamonkey1.1.5*******
    2.3ApplicationMozillaSeamonkey1.1.6*******
    2.3ApplicationMozillaSeamonkey1.1.7*******
    2.3ApplicationMozillaSeamonkey1.1.8*******
    2.3ApplicationMozillaSeamonkey********1.1.9

Vulnerable Software List

VendorProductVersions
Mozilla Firefox *, 2.0, 2.0.0.1, 2.0.0.10, 2.0.0.11, 2.0.0.12, 2.0.0.13, 2.0.0.2, 2.0.0.3, 2.0.0.4, 2.0.0.5, 2.0.0.6, 2.0.0.7, 2.0.0.8, 2.0.0.9
Mozilla Seamonkey *, 1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8

References

NameSourceURLTags
SUSE-SA:2008:034http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.htmlSUSE
RHSA-2008:0616http://rhn.redhat.com/errata/RHSA-2008-0616.htmlREDHAT
30878http://secunia.com/advisories/30878SECUNIA
30898http://secunia.com/advisories/30898SECUNIA
30903http://secunia.com/advisories/30903SECUNIA
30911http://secunia.com/advisories/30911SECUNIAVendor Advisory
30949http://secunia.com/advisories/30949SECUNIA
31005http://secunia.com/advisories/31005SECUNIA
31008http://secunia.com/advisories/31008SECUNIA
31021http://secunia.com/advisories/31021SECUNIA
31023http://secunia.com/advisories/31023SECUNIA
31069http://secunia.com/advisories/31069SECUNIA
31076http://secunia.com/advisories/31076SECUNIA
31183http://secunia.com/advisories/31183SECUNIA
31195http://secunia.com/advisories/31195SECUNIA
31377http://secunia.com/advisories/31377SECUNIA
33433http://secunia.com/advisories/33433SECUNIA
34501http://secunia.com/advisories/34501SECUNIA
GLSA-200808-03http://security.gentoo.org/glsa/glsa-200808-03.xmlGENTOO
SSA:2008-191-03http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.383152SLACKWARE
SSA:2008-191http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.384911SLACKWARE
256408http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1SUNALERT
http://wiki.rpath.com/Advisories:rPSA-2008-0216http://wiki.rpath.com/Advisories:rPSA-2008-0216CONFIRM
DSA-1607http://www.debian.org/security/2008/dsa-1607DEBIAN
DSA-1615http://www.debian.org/security/2008/dsa-1615DEBIAN
DSA-1697http://www.debian.org/security/2009/dsa-1697DEBIAN
MDVSA-2008:136http://www.mandriva.com/security/advisories?name=MDVSA-2008:136MANDRIVA
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15CONFIRM
http://www.mozilla.org/security/announce/2008/mfsa2008-23.htmlhttp://www.mozilla.org/security/announce/2008/mfsa2008-23.htmlCONFIRM
RHSA-2008:0547http://www.redhat.com/support/errata/RHSA-2008-0547.htmlREDHAT
RHSA-2008:0549http://www.redhat.com/support/errata/RHSA-2008-0549.htmlREDHAT
RHSA-2008:0569http://www.redhat.com/support/errata/RHSA-2008-0569.htmlREDHAT
20080708 rPSA-2008-0216-1 firefoxhttp://www.securityfocus.com/archive/1/494080/100/0/threadedBUGTRAQ
30038http://www.securityfocus.com/bid/30038BID
1020419http://www.securitytracker.com/id?1020419SECTRACK
USN-619-1http://www.ubuntu.com/usn/usn-619-1UBUNTU
ADV-2008-1993http://www.vupen.com/english/advisories/2008/1993/referencesVUPEN
ADV-2009-0977http://www.vupen.com/english/advisories/2009/0977VUPEN
https://bugzilla.mozilla.org/show_bug.cgi?id=418996https://bugzilla.mozilla.org/show_bug.cgi?id=418996CONFIRM
https://bugzilla.mozilla.org/show_bug.cgi?id=424188https://bugzilla.mozilla.org/show_bug.cgi?id=424188CONFIRM
https://bugzilla.mozilla.org/show_bug.cgi?id=424426https://bugzilla.mozilla.org/show_bug.cgi?id=424426CONFIRM
https://issues.rpath.com/browse/RPL-2646https://issues.rpath.com/browse/RPL-2646CONFIRM
oval:org.mitre.oval:def:11810https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11810OVAL
FEDORA-2008-6127https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00207.htmlFEDORA
FEDORA-2008-6193https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00288.htmlFEDORA
FEDORA-2008-6196https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00295.htmlFEDORA