Vulnerability CVE-2014-1496

Vulnerability Name:

CVE-2014-1496 (CCN-91857)

Assigned:

2014-03-18

Published:

2014-03-18

Updated:

2020-08-05

Summary:

Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 might allow local users to gain privileges by modifying the extracted Mar contents during an update.

CVSS v3 Severity:

5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

1.9 Low (CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:P/A:N)
1.4 Low (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-269

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2014-1496

Source: SUSE
Type: Mailing List, Third Party Advisory
SUSE-SU-2014:0418

Source: CCN
Type: SA57500
Mozilla Firefox / Thunderbird / SeaMonkey Multiple Vulnerabilities

Source: CCN
Type: SA57510
Mozilla Firefox Multiple Vulnerabilities

Source: CCN
Type: MFSA 2014-16
Files extracted during updates are not always read only

Source: CONFIRM
Type: Vendor Advisory
http://www.mozilla.org/security/announce/2014/mfsa2014-16.html

Source: CONFIRM
Type: Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

Source: CCN
Type: BID-66416
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2014-1496 Security Bypass Vulnerability

Source: CONFIRM
Type: Exploit, Issue Tracking, Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=925747

Source: XF
Type: UNKNOWN
mozilla-cve20141496-priv-esc(91857)

Source: GENTOO
Type: Third Party Advisory
GLSA-201504-01

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version < 28.0)

OR cpe:/a:mozilla:firefox_esr:*:*:*:*:*:*:*:* (Version >= 24.0 and < 24.4)

OR cpe:/a:mozilla:seamonkey:*:*:*:*:*:*:*:* (Version < 2.25)

OR cpe:/a:mozilla:thunderbird:*:*:*:*:*:*:*:* (Version < 24.4)

Configuration 2:

cpe:/a:suse:suse_linux_enterprise_software_development_kit:11.0:sp3:*:*:*:*:*:*

OR cpe:/o:suse:suse_linux_enterprise_desktop:11:sp3:*:*:*:*:*:*

OR cpe:/o:suse:suse_linux_enterprise_server:11:sp3:*:*:*:-:*:*

OR cpe:/o:suse:suse_linux_enterprise_server:11:sp3:*:*:*:vmware:*:*

Configuration CCN 1:

cpe:/a:mozilla:firefox_esr:24.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:27.0:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:2.24:*:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:24.3.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20141496	V	CVE-2014-1496	2022-05-22
oval:org.opensuse.security:def:30166	P	Security update for chrony (Moderate)	2021-12-22
oval:org.opensuse.security:def:55979	P	Security update for clamav (Moderate)	2021-12-01
oval:org.opensuse.security:def:33047	P	Security update for webkit2gtk3 (Important)	2021-11-23
oval:org.opensuse.security:def:33741	P	Security update for postgresql, postgresql13, postgresql14 (Important)	2021-11-20
oval:org.opensuse.security:def:30147	P	Security update for MozillaFirefox (Important)	2021-11-17
oval:org.opensuse.security:def:33024	P	Security update for util-linux (Moderate)	2021-10-19
oval:org.opensuse.security:def:33729	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:29417	P	Security update for libesmtp (Important)	2021-09-02
oval:org.opensuse.security:def:32985	P	Security update for openssl (Important)	2021-08-24
oval:org.opensuse.security:def:29406	P	Security update for cpio (Important)	2021-08-14
oval:org.opensuse.security:def:29405	P	Security update for djvulibre (Important)	2021-08-05
oval:org.opensuse.security:def:30108	P	Security update for libsndfile (Critical)	2021-08-05
oval:org.opensuse.security:def:30210	P	Security update for ucode-intel (Important)	2021-06-10
oval:org.opensuse.security:def:32936	P	Security update for shim (Important)	2021-06-08
oval:org.opensuse.security:def:55898	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:33645	P	Security update for samba (Important)	2021-05-04
oval:org.opensuse.security:def:30059	P	Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP2) (Important)	2021-04-12
oval:org.opensuse.security:def:34044	P	Security update for wavpack (Important)	2021-03-24
oval:org.opensuse.security:def:29489	P	Security update for nghttp2 (Important)	2021-03-24
oval:org.opensuse.security:def:55860	P	Security update for wpa_supplicant (Important)	2021-03-09
oval:org.opensuse.security:def:33091	P	Security update for openldap2 (Important)	2021-03-03
oval:org.opensuse.security:def:55301	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:28942	P	Security update for java-1_8_0-ibm (Important)	2021-02-26
oval:org.opensuse.security:def:32262	P	Security update for java-1_8_0-openjdk (Moderate)	2021-02-19
oval:org.opensuse.security:def:32261	P	Security update for krb5-appl (Important)	2021-02-19
oval:org.opensuse.security:def:33768	P	Security update for java-1_7_1-ibm (Important)	2021-02-18
oval:org.opensuse.security:def:32273	P	Security update for MozillaFirefox (Important)	2021-01-12
oval:org.opensuse.security:def:30004	P	Security update for flac (Moderate)	2021-01-04
oval:org.opensuse.security:def:55135	P	Security update for cyrus-sasl (Important)	2020-12-28
oval:org.opensuse.security:def:55786	P	Security update for xen (Moderate)	2020-12-22
oval:org.opensuse.security:def:26710	P	gnome-screensaver on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26626	P	pam_mount on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28666	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:26569	P	kde4-kgreeter-plugins on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55694	P	Security update for ghostscript (Low)	2020-12-01
oval:org.opensuse.security:def:28631	P	Security update for MozillaFirefox, mozilla-nspr, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:26488	P	Security update for cacti, cacti-spine (Moderate)	2020-12-01
oval:org.opensuse.security:def:55586	P	Security update for openssh (Moderate)	2020-12-01
oval:org.opensuse.security:def:27993	P	Security update for MozillaFirefox (Moderate)	2020-12-01
oval:org.opensuse.security:def:26360	P	Security update for MozillaThunderbird (Moderate)	2020-12-01
oval:org.opensuse.security:def:27949	P	Security update for GraphicsMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:26296	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:27935	P	Security update for GraphicsMagick (Important)	2020-12-01
oval:org.opensuse.security:def:26285	P	Security update for the Linux Kernel (Critical)	2020-12-01
oval:org.opensuse.security:def:55029	P	vino on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27896	P	Security update for tidy (Low)	2020-12-01
oval:org.opensuse.security:def:26284	P	Security update for taglib (Low)	2020-12-01
oval:org.opensuse.security:def:54856	P	libecpg6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27847	P	Security update for openldap2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:54618	P	libvdpau1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27794	P	Security update for libgcrypt	2020-12-01
oval:org.opensuse.security:def:54478	P	glib2-lang on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27643	P	Security update for libssh2	2020-12-01
oval:org.opensuse.security:def:54456	P	e2fsprogs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27559	P	rubygem-i18n-0_6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29716	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:54455	P	dracut on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27502	P	libwpd-0_8-8 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29680	P	Security update for ecryptfs-utils	2020-12-01
oval:org.opensuse.security:def:27420	P	imlib2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32879	P	gvim on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29042	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:27292	P	squid on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32723	P	libopenssl0_9_8 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28998	P	Security update for gnutls (Moderate)	2020-12-01
oval:org.opensuse.security:def:27228	P	libxcrypt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32636	P	apache2-mod_php53 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28981	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:34937	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:27217	P	libsoup-2_4-1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32579	P	mozilla-xulrunner190 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:34897	P	Security update for dbus-1	2020-12-01
oval:org.opensuse.security:def:27216	P	libsnmp15-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32485	P	PolicyKit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28893	P	Security update for fetchmail (Moderate)	2020-12-01
oval:org.opensuse.security:def:34259	P	Security update for postgresql94 (Important)	2020-12-01
oval:org.opensuse.security:def:32350	P	Security update for squid (Moderate)	2020-12-01
oval:org.opensuse.security:def:28839	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:34215	P	Security update for php5 (Important)	2020-12-01
oval:org.opensuse.security:def:28687	P	Security update for flash-player (Moderate)	2020-12-01
oval:org.opensuse.security:def:34190	P	Security update for opie	2020-12-01
oval:org.opensuse.security:def:28603	P	Security update for usbmuxd	2020-12-01
oval:org.opensuse.security:def:34151	P	Security update for openssh (Moderate)	2020-12-01
oval:org.opensuse.security:def:30885	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:28546	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:34102	P	Security update for MozillaFirefox, MozillaFirefox-branding-SLED, MozillaFirefox-branding-SLES-for-VMware, mozilla-nss (Moderate)	2020-12-01
oval:org.opensuse.security:def:30848	P	Security update for dhcp (Moderate)	2020-12-01
oval:org.opensuse.security:def:28461	P	Security update for xorg-x11-libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:28330	P	Security update for php53 (Moderate)	2020-12-01
oval:org.opensuse.security:def:33887	P	Security update for kdebase4-runtime	2020-12-01
oval:org.opensuse.security:def:28263	P	Security update for mercurial (Important)	2020-12-01
oval:org.opensuse.security:def:33798	P	Security update for gd	2020-12-01
oval:org.opensuse.security:def:28252	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:27733	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:28251	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:27698	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:33509	P	Security update for openswan	2020-12-01
oval:org.opensuse.security:def:27060	P	xorg-x11-libs-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33427	P	Security update for Samba	2020-12-01
oval:org.opensuse.security:def:29851	P	Security update for Linux Kernel	2020-12-01
oval:org.opensuse.security:def:27016	P	postgresql on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33416	P	Security update for ImageMagick	2020-12-01
oval:org.opensuse.security:def:29765	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:27002	P	openvpn on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:57329	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:33415	P	Security update for zeromq (Important)	2020-12-01
oval:org.opensuse.security:def:29708	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:26963	P	libpng12-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:57255	P	Security update for openssl-certs	2020-12-01
oval:org.opensuse.security:def:29621	P	Security update for boost	2020-12-01
oval:org.opensuse.security:def:26914	P	gvim on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26861	P	ant on GA media (Moderate)	2020-12-01
oval:org.mitre.oval:def:24858	P	SUSE-SU-2014:0418-1 -- Security update for MozillaFirefox	2015-03-16
oval:org.mitre.oval:def:24570	V	Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 might allow local users to gain privileges by modifying the extracted Mar contents during an update.	2014-10-06
oval:org.opensuse.security:def:79963	P	Security update for MozillaFirefox	2014-03-20
oval:com.ubuntu.precise:def:20141496000	V	CVE-2014-1496 on Ubuntu 12.04 LTS (precise) - medium.	2014-03-19

BACK