Vulnerability Name: CVE-2008-4067 (CCN-45359) Assigned: 2008-09-23 Published: 2008-09-23 Updated: 2018-11-01 Summary: Directory traversal vulnerability in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 on Linux allows remote attackers to read arbitrary files via a .. (dot dot) and URL-encoded / (slash) characters in a resource: URI. CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N 3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-22 Vulnerability Consequences: Gain Access References: Source: MITRECVE-2008-4067 http://download.novell.com/Download?buildid=WZXONb-tqBw~ SUSE-SA:2008:050 Critical: firefox security update Critical: seamonkey security update Moderate: thunderbird security update Mozilla Firefox 2 Multiple Vulnerabilities 31984 31985 31987 Mozilla Thunderbird Multiple Vulnerabilities 32007 Mozilla SeaMonkey Multiple Vulnerabilities 32010 Mozilla Firefox 3 Multiple Vulnerabilities 32011 32012 32025 32042 32044 32082 32089 32092 32095 32096 32144 32185 32196 32845 33433 33434 Sun Solaris Firefox Multiple Vulnerabilities 34501 Mozilla Firefox 'resource:' Protocol Processing Flaw Lets Remote Users Traverse the Directory SSA:2008-269-02 SSA:2008-269-01 SSA:2008-270-01 256408 Multiple Security Vulnerabilities in Firefox Versions Before 2.0.0.19 May Allow Execution of Arbitrary Code or Access to Unauthorized Data thunderbird security update (RHSA-2008-0908) seamonkey security update (RHSA-2008-0882) firefox security update (RHSA-2008-0879) Multiple Security Vulnerabilities in Firefox Versions Before 2.0.0.19 May Allow Execution of Arbitrary Code or Access to unauthorized Data (Sun 256408) Nortel Response to Sun Alert 256408 - Solaris 10 - Vulnerabilities in Firefox May Allow Execution of Arbitrary Code http://www.0x000000.com/?i=422 DSA-1649 DSA-1669 DSA-1696 DSA-1697 iceweasel -- several vulnerabilities xulrunner -- several vulnerabilities icedove -- several vulnerabilities iceape -- several vulnerabilities MDVSA-2008:205 MDVSA-2008:206 resource: traversal vulnerabilities http://www.mozilla.org/security/announce/2008/mfsa2008-44.html RHSA-2008:0879 RHSA-2008:0882 RHSA-2008:0908 31346 Mozilla Firefox/SeaMonkey/Thunderbird Multiple Remote Vulnerabilities 1020921 Firefox and xulrunner vulnerabilities USN-645-1 Firefox vulnerabilities USN-645-2 Firefox and xulrunner regression Thunderbird vulnerabilities USN-647-1 ADV-2008-2661 ADV-2009-0977 https://bugzilla.mozilla.org/show_bug.cgi?id=380994 Resource Directory Traversal Vulnerability https://bugzilla.mozilla.org/show_bug.cgi?id=394075 mozilla-protocol-directory-traversal(45359) mozilla-protocol-directory-traversal(45359) oval:org.mitre.oval:def:10770 FEDORA-2008-8425 FEDORA-2008-8401 FEDORA-2008-8429 Mozilla security problems Vulnerable Configuration: Configuration 1 :cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version < 2.0.0.17)OR cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version >= 3.0 and < 3.0.2) OR cpe:/a:mozilla:seamonkey:*:*:*:*:*:*:*:* (Version < 1.1.12) OR cpe:/a:mozilla:thunderbird:*:*:*:*:*:*:*:* (Version < 2.0.0.17) AND cpe:/o:linux:linux_kernel:-:*:*:*:*:*:*:* Configuration 2 :cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:* Configuration 3 :cpe:/o:canonical:ubuntu_linux:6.06:*:*:*:lts:*:*:* OR cpe:/o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:* OR cpe:/o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:* OR cpe:/o:canonical:ubuntu_linux:8.04:*:*:*:lts:*:*:* Configuration RedHat 1 :cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:* Configuration RedHat 2 :cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:* Configuration RedHat 3 :cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:* Configuration RedHat 4 :cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:* Configuration RedHat 5 :cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:* Configuration RedHat 6 :cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:* Configuration RedHat 7 :cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:* Configuration RedHat 8 :cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:* Configuration RedHat 9 :cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:* Configuration RedHat 10 :cpe:/a:redhat:rhel_productivity:5:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:mozilla:firefox:2.0:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.4:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.5:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.5:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.3:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.6:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.9:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.4:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.3:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.7:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.6:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.7:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.4:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.8:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.5:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.6:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.11:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.12:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.9:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.10:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.13:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.0:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.11:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.12:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.13:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.8:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.7:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.8:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.9:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.14:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.15:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.10:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.11:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.14:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.16:*:*:*:*:*:*:* OR cpe:/a:mozilla:thunderbird:2.0.0.15:*:*:*:*:*:*:* AND cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:* OR cpe:/o:suse:suse_linux:9.0:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:* OR cpe:/o:novell:linux_desktop:9:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:* OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:* OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.0::x86-64:*:*:*:*:* OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:* OR cpe:/o:canonical:ubuntu:7.04:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:* OR cpe:/o:canonical:ubuntu:7.10:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.1:x86_64:*:*:*:*:*:* OR cpe:/a:novell:open_enterprise_server:*:*:*:*:*:*:*:* OR cpe:/o:opensuse:opensuse:10.2:*:*:*:*:*:*:* OR cpe:/o:opensuse:opensuse:10.3:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.1:*:*:*:*:*:*:* OR cpe:/o:canonical:ubuntu:8.04::lts:*:*:*:*:* OR cpe:/o:opensuse:opensuse:11.0:*:*:*:*:*:*:* OR cpe:/o:novell:suse_linux_enterprise_server:10:sp2:itanium_ia64:*:*:*:*:* Oval Definitions BACK
mozilla firefox *
mozilla firefox *
mozilla seamonkey *
mozilla thunderbird *
linux linux kernel -
debian debian linux 4.0
canonical ubuntu linux 6.06
canonical ubuntu linux 7.04
canonical ubuntu linux 7.10
canonical ubuntu linux 8.04
mozilla firefox 2.0
mozilla firefox 2.0.0.1
mozilla firefox 2.0.0.2
mozilla firefox 2.0.0.3
mozilla firefox 2.0.0.4
mozilla firefox 2.0.0.5
mozilla thunderbird 2.0.0.5
mozilla seamonkey 1.1.3
mozilla firefox 2.0.0.6
mozilla firefox 2.0.0.9
mozilla thunderbird 2.0.0.4
mozilla thunderbird 2.0.0.3
mozilla thunderbird 2.0.0.2
mozilla thunderbird 2.0.0.1
mozilla seamonkey 1.1.2
mozilla seamonkey 1.1.1
mozilla firefox 2.0.0.7
mozilla thunderbird 2.0.0.6
mozilla thunderbird 2.0.0.7
mozilla seamonkey 1.1.4
mozilla firefox 2.0.0.8
mozilla seamonkey 1.1.5
mozilla seamonkey 1.1.6
mozilla firefox 2.0.0.11
mozilla firefox 2.0.0.12
mozilla thunderbird 2.0.0.9
mozilla firefox 2.0.0.10
mozilla firefox 2.0.0.13
mozilla thunderbird 2.0.0.0
mozilla thunderbird 2.0.0.11
mozilla thunderbird 2.0.0.12
mozilla thunderbird 2.0.0.13
mozilla thunderbird 2.0.0.8
mozilla seamonkey 1.1.7
mozilla seamonkey 1.1.8
mozilla seamonkey 1.1.9
mozilla firefox 2.0.0.14
mozilla firefox 2.0.0.15
mozilla seamonkey 1.1.10
mozilla seamonkey 1.1.11
mozilla thunderbird 2.0.0.14
mozilla thunderbird 2.0.0.16
mozilla thunderbird 2.0.0.15
redhat enterprise linux 2.1
redhat enterprise linux 2.1
redhat enterprise linux 2.1
suse suse linux 9.0
redhat enterprise linux 3
redhat enterprise linux 3
redhat enterprise linux 3
redhat enterprise linux 3
mandrakesoft mandrake linux corporate server 3.0
redhat enterprise linux 4
redhat enterprise linux 4
novell linux desktop 9
redhat enterprise linux 4
redhat enterprise linux 4
redhat linux advanced workstation 2.1
canonical ubuntu 6.06
mandrakesoft mandrake linux corporate server 4.0
mandrakesoft mandrake linux corporate server 4.0
mandrakesoft mandrake linux corporate server 3.0
redhat enterprise linux 5
redhat enterprise linux 5
mandrakesoft mandrake linux 2008.0
debian debian linux 4.0
canonical ubuntu 7.04
redhat enterprise linux 5
canonical ubuntu 7.10
mandrakesoft mandrake linux 2008.0
mandrakesoft mandrake linux 2008.1 x86_64
novell open enterprise server *
novell opensuse 10.2
novell opensuse 10.3
mandrakesoft mandrake linux 2008.1
canonical ubuntu 8.04
novell opensuse 11.0
novell suse linux enterprise server 10 sp2
Denotes that component is vulnerable