Vulnerability Name: CVE-2004-0906 (CCN-17375) Assigned: 2004-02-26 Published: 2004-02-26 Updated: 2017-10-11 Summary: The XPInstall installer in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 sets insecure permissions for certain installed files within xpi packages, which could allow local users to overwrite arbitrary files or execute arbitrary code. CVSS v3 Severity: 5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): Low
CVSS v2 Severity: 4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
Vulnerability Type: CWE-Other Vulnerability Consequences: Gain Privileges References: Source: CCNwrong file permissions after installation http://bugzilla.mozilla.org/show_bug.cgi?id=231083 XPInstall ignores user's umask when installing files http://bugzilla.mozilla.org/show_bug.cgi?id=235781 CVE-2004-0906 mozilla security update Mozilla Multiple Vulnerabilities 12526 GLSA-200409-26 [slackware-security] Mozilla (SSA:2004-266-03) Mozilla, Firefox, Thunderbird, Epiphany: New releases fix vulnerabilities Mozilla Linux installer does not properly set file permissions VU#653160 Mozilla - Home of the Firefox web browser, Thunderbird and the Mozilla Suite http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 SUSE-SA:2004:036 RHSA-2005:323 11192 Mozilla/Firefox Browsers Tar.GZ Archive Weak Permissions Vulnerability mozilla-insecure-file-permissions(17375) mozilla-insecure-file-permissions(17375) oval:org.mitre.oval:def:11668 mozilla: various vulnerabilities Vulnerable Configuration: Configuration 1 :cpe:/a:mozilla:mozilla:0.8:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:0.9.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:0.9.2.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:0.9.3:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:0.9.4:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:0.9.4.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:0.9.5:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:0.9.6:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:0.9.7:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:0.9.8:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:0.9.9:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:0.9.35:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:0.9.48:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.0:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.0:rc1:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.0:rc2:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.0.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.0.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.1:alpha:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.1:beta:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.2:alpha:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.2:beta:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.2.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.3:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.3.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.4:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.4:alpha:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.4:beta:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.4.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.4.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.4.4:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.5:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.5.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.6:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7:alpha:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7:beta:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7:rc1:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7:rc2:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7:rc3:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.3:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.4:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.5:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.6:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.7:-:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.7.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.7.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.7.3:*:*:*:*:*:*:* Configuration RedHat 1 :cpe:/o:redhat:enterprise_linux:*:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:mozilla:mozilla:1.0:rc1:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.0:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.0.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.2.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.3:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.4:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.3.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.6:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7:rc3:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:0.8:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:0.9:rc:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:0.9.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:0.9.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:0.9.3:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:0.9:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:0.9.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.0.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.1:alpha:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.1:beta:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.2:alpha:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.2:beta:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.4.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.4.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.4.4:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.4:alpha:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.4:beta:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.5:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.5.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.5:alpha:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.5:rc1:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.5:rc2:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.6:alpha:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.6:beta:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7:alpha:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7:beta:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7:rc1:*:*:*:*:*:* OR cpe:/a:mozilla:mozilla:1.7:rc2:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.3:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.4:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.5:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.6:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.7:-:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.7.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.7.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:0.7.3:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:0.7:*:*:*:*:*:*:* AND cpe:/o:gentoo:linux:*:*:*:*:*:*:*:* OR cpe:/o:suse:linux_enterprise_server:8:*:*:*:*:*:*:* OR cpe:/o:slackware:slackware_linux:current:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:* OR cpe:/o:suse:suse_linux:9.0:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:* OR cpe:/o:slackware:slackware_linux:10.0:*:*:*:*:*:*:* OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:* Oval Definitions Definition ID Class Title Last Modified oval:org.opensuse.security:def:20040906 V CVE-2004-0906 2015-11-16 oval:org.mitre.oval:def:11668 V The XPInstall installer in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 sets insecure permissions for certain installed files within xpi packages, which could allow local users to overwrite arbitrary files or execute arbitrary code. 2013-04-29 oval:com.redhat.rhsa:def:20050323 P RHSA-2005:323: mozilla security update (Critical) 2005-03-23
BACK
mozilla mozilla 0.8
mozilla mozilla 0.9.2
mozilla mozilla 0.9.2.1
mozilla mozilla 0.9.3
mozilla mozilla 0.9.4
mozilla mozilla 0.9.4.1
mozilla mozilla 0.9.5
mozilla mozilla 0.9.6
mozilla mozilla 0.9.7
mozilla mozilla 0.9.8
mozilla mozilla 0.9.9
mozilla mozilla 0.9.35
mozilla mozilla 0.9.48
mozilla mozilla 1.0
mozilla mozilla 1.0 rc1
mozilla mozilla 1.0 rc2
mozilla mozilla 1.0.1
mozilla mozilla 1.0.2
mozilla mozilla 1.1
mozilla mozilla 1.1 alpha
mozilla mozilla 1.1 beta
mozilla mozilla 1.2
mozilla mozilla 1.2 alpha
mozilla mozilla 1.2 beta
mozilla mozilla 1.2.1
mozilla mozilla 1.3
mozilla mozilla 1.3.1
mozilla mozilla 1.4
mozilla mozilla 1.4 alpha
mozilla mozilla 1.4 beta
mozilla mozilla 1.4.1
mozilla mozilla 1.4.2
mozilla mozilla 1.4.4
mozilla mozilla 1.5
mozilla mozilla 1.5.1
mozilla mozilla 1.6
mozilla mozilla 1.7
mozilla mozilla 1.7 alpha
mozilla mozilla 1.7 beta
mozilla mozilla 1.7 rc1
mozilla mozilla 1.7 rc2
mozilla mozilla 1.7 rc3
mozilla mozilla 1.7.1
mozilla mozilla 1.7.2
mozilla thunderbird 0.1
mozilla thunderbird 0.2
mozilla thunderbird 0.3
mozilla thunderbird 0.4
mozilla thunderbird 0.5
mozilla thunderbird 0.6
mozilla thunderbird 0.7
mozilla thunderbird 0.7.1
mozilla thunderbird 0.7.2
mozilla thunderbird 0.7.3
mozilla mozilla 1.0 rc1
mozilla mozilla 1.0
mozilla mozilla 1.0.1
mozilla mozilla 1.1
mozilla mozilla 1.2.1
mozilla mozilla 1.3
mozilla mozilla 1.4
mozilla mozilla 1.3.1
mozilla mozilla 1.6
mozilla mozilla 1.7 rc3
mozilla firefox 0.8
mozilla firefox 0.9 rc
mozilla mozilla 1.7
mozilla mozilla 1.7.1
mozilla firefox 0.9.2
mozilla firefox 0.9.1
mozilla firefox 0.9.3
mozilla mozilla 1.7.2
mozilla firefox 0.9
mozilla mozilla 0.9.2
mozilla mozilla 1.0.2
mozilla mozilla 1.1 alpha
mozilla mozilla 1.1 beta
mozilla mozilla 1.2
mozilla mozilla 1.2 alpha
mozilla mozilla 1.2 beta
mozilla mozilla 1.4.1
mozilla mozilla 1.4.2
mozilla mozilla 1.4.4
mozilla mozilla 1.4 alpha
mozilla mozilla 1.4 beta
mozilla mozilla 1.5
mozilla mozilla 1.5.1
mozilla mozilla 1.5 alpha
mozilla mozilla 1.5 rc1
mozilla mozilla 1.5 rc2
mozilla mozilla 1.6 alpha
mozilla mozilla 1.6 beta
mozilla mozilla 1.7 alpha
mozilla mozilla 1.7 beta
mozilla mozilla 1.7 rc1
mozilla mozilla 1.7 rc2
mozilla thunderbird 0.1
mozilla thunderbird 0.2
mozilla thunderbird 0.3
mozilla thunderbird 0.4
mozilla thunderbird 0.5
mozilla thunderbird 0.6
mozilla thunderbird 0.7
mozilla thunderbird 0.7.1
mozilla thunderbird 0.7.2
mozilla thunderbird 0.7.3
mozilla firefox 0.7
gentoo linux *
suse linux enterprise server 8
slackware slackware linux current
redhat enterprise linux 2.1
redhat enterprise linux 2.1
redhat enterprise linux 2.1
suse suse linux 9.0
redhat enterprise linux 3
redhat enterprise linux 3
redhat enterprise linux 3
redhat enterprise linux 3
slackware slackware linux 10.0
redhat linux advanced workstation 2.1
Denotes that component is vulnerable