Vulnerability Name:

CVE-2016-5299 (CCN-118937)

Assigned:2016-11-15
Published:2016-11-15
Updated:2018-07-30
Summary:A previously installed malicious Android application with same signature-level permissions as Firefox can intercept AuthTokens meant for Firefox only.
Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-275
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2016-5299

Source: BID
Type: Third Party Advisory, VDB Entry
94337

Source: CCN
Type: BID-94337
Mozilla Firefox Multiple Security Vulnerabilities

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1037298

Source: CONFIRM
Type: Exploit, Issue Tracking, Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1245791

Source: XF
Type: UNKNOWN
firefox-cve20165299-sec-bypass(118937)

Source: CCN
Type: Mozilla Foundation Security Advisory 2016-89
Security vulnerabilities fixed in Firefox 50

Source: CONFIRM
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2016-89/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version < 50.0)
  • AND
  • cpe:/o:google:android:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20165299
    V
    		CVE-2016-5299
    2023-06-22
    oval:org.opensuse.security:def:7868
    P
    		MozillaFirefox-102.11.0-150200.152.87.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:609
    P
    		Security update for sqlite3 (Moderate) (in QA)
    2022-10-04
    oval:org.opensuse.security:def:720
    P
    		Security update for ucode-intel (Moderate)
    2022-08-31
    oval:org.opensuse.security:def:3252
    P
    		libsmi-0.4.8-18.55 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94882
    P
    		MozillaFirefox-91.8.0-150200.152.26.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:1523
    P
    		Security update for MozillaThunderbird (Important)
    2022-06-13
    oval:org.opensuse.security:def:1167
    P
    		Security update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core (Important)
    2022-05-16
    oval:org.opensuse.security:def:1301
    P
    		Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP3) (Important)
    2022-04-14
    oval:org.opensuse.security:def:1056
    P
    		Security update for yaml-cpp (Moderate)
    2022-04-01
    oval:org.opensuse.security:def:1412
    P
    		Security update for the Linux Kernel (Live Patch 11 for SLE 15 SP3) (Important)
    2022-02-01
    oval:org.opensuse.security:def:111898
    P
    		MozillaFirefox-50.1.0-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:945
    P
    		Security update for net-snmp (Important)
    2022-01-11
    oval:org.opensuse.security:def:70030
    P
    		Security update for xorg-x11-server (Important)
    2021-12-21
    oval:org.opensuse.security:def:93994
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:1639
    P
    		Security update for squid (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:105475
    P
    		MozillaFirefox-50.1.0-1.1 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:71207
    P
    		hardlink-1.0+git.e66999f-1.25 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:69925
    P
    		Security update for ffmpeg (Important)
    2021-09-02
    oval:org.opensuse.security:def:47831
    P
    		mutt-1.10.1-55.6.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47377
    P
    		libmpfr4-3.1.2-7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47130
    P
    		powerpc-utils-1.3.2-17.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48129
    P
    		libjansson4-2.12-3.5.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47702
    P
    		libecpg6-10.5-1.3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47145
    P
    		rpcbind-0.2.3-21.4 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48256
    P
    		pam_krb5-2.4.4-4.4 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47942
    P
    		aaa_base-13.2+git20140911.61c1681-38.13.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47459
    P
    		pam_krb5-2.4.4-4.4 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47241
    P
    		dnsmasq-2.76-17.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48358
    P
    		zypper-1.13.51-21.26.4 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48240
    P
    		memcached-1.4.39-4.6.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47683
    P
    		libXrender1-0.9.8-7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47256
    P
    		freeradius-server-3.0.14-1.8 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48045
    P
    		ibus-chewing-1.4.14-4.11 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47570
    P
    		bzip2-1.0.6-29.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47131
    P
    		ppc64-diag-2.7.1-5.6 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48191
    P
    		libsmi-0.4.8-18.55 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47794
    P
    		libtasn1-4.9-3.5.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47266
    P
    		glib2-lang-2.48.2-10.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48287
    P
    		python-pywbem-0.7.0-4.3 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48156
    P
    		libnetpbm11-10.66.3-8.7.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47591
    P
    		dbus-1-1.8.22-29.10.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47242
    P
    		dosfstools-3.0.26-6.5 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48302
    P
    		sane-backends-1.0.24-3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:62728
    P
    		MozillaFirefox-78.10.0-8.38.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:101134
    P
    		MozillaFirefox-78.10.0-8.38.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:72447
    P
    		MozillaFirefox-78.10.0-8.38.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:49443
    P
    		Security update for nodejs10 (Important)
    2021-07-14
    oval:org.opensuse.security:def:48398
    P
    		cyrus-sasl-2.1.26-7.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48367
    P
    		apache-commons-httpclient-3.1-4.364 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48469
    P
    		libXinerama1-1.1.3-3.54 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:71094
    P
    		rpcbind-0.2.3-3.22 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:64507
    P
    		Security update for hivex (Moderate)
    2021-05-26
    oval:org.opensuse.security:def:67754
    P
    		Security update for the Linux Kernel (Live Patch 21 for SLE 15) (Important)
    2021-04-28
    oval:org.opensuse.security:def:100707
    P
    		 (Important)
    2021-02-17
    oval:org.opensuse.security:def:116931
    P
    		MozillaFirefox-68.8.0-3.87.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:72109
    P
    		MozillaFirefox-52.7.3-1.35 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62390
    P
    		MozillaFirefox-52.7.3-1.35 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:89851
    P
    		MozillaFirefox-60.6.2-3.32.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:72220
    P
    		MozillaFirefox-60.6.2-3.32.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:103506
    P
    		MozillaFirefox-60.6.2-3.32.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62501
    P
    		MozillaFirefox-60.6.2-3.32.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:72331
    P
    		MozillaFirefox-68.8.0-3.87.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:107373
    P
    		MozillaFirefox-68.8.0-3.87.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62612
    P
    		MozillaFirefox-68.8.0-3.87.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:66674
    P
    		MozillaFirefox on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49497
    P
    		MozillaFirefox on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64420
    P
    		opensc on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:73247
    P
    		libxcb-composite0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:67854
    P
    		MozillaFirefox on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49332
    P
    		socat on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49608
    P
    		MozillaFirefox on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:66582
    P
    		pam on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:73365
    P
    		MozillaFirefox on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49386
    P
    		MozillaFirefox on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49554
    P
    		libjbig2-32bit on GA media (Moderate)
    2020-12-01
    oval:com.ubuntu.xenial:def:201652990000000
    V
    		CVE-2016-5299 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-06-11
    oval:com.ubuntu.trusty:def:20165299000
    V
    		CVE-2016-5299 on Ubuntu 14.04 LTS (trusty) - medium.
    2018-06-11
    oval:com.ubuntu.xenial:def:20165299000
    V
    		CVE-2016-5299 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-06-11
    oval:com.ubuntu.precise:def:20165299000
    V
    		CVE-2016-5299 on Ubuntu 12.04 LTS (precise) - medium.
    2016-11-17
    BACK
    mozilla firefox *
    google android -