CVE-2011-0082 - OpenCVE

The X.509 certificate validation functionality in Mozilla Firefox 4.0.x through 4.0.1 does not properly implement single-session security exceptions, which might make it easier for user-assisted remote attackers to spoof an SSL server via an untrusted certificate that triggers potentially unwanted local caching of documents from that server.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mozilla	Firefox

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:4.0:::::::*
	cpe:2.3:a:mozilla:firefox:4.0:beta1::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta10::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta11::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta12::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta2::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta3::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta4::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta5::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta6::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta7::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta8::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta9::::::
	cpe:2.3:a:mozilla:firefox:4.0.1:::::::*

References

Link	Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627552	Exploit
http://openwall.com/lists/oss-security/2011/05/31/14	Exploit
http://openwall.com/lists/oss-security/2011/05/31/18	Exploit
http://openwall.com/lists/oss-security/2011/05/31/4	Exploit
http://openwall.com/lists/oss-security/2011/05/31/9	Exploit
http://www.securityfocus.com/bid/48064
https://bugzilla.mozilla.org/show_bug.cgi?id=660749	Exploit
https://bugzilla.redhat.com/show_bug.cgi?id=709165	Exploit
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14145

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2011-06-06T19:00:00

Updated: 2017-09-18T12:57:01

Reserved: 2010-12-21T00:00:00

Link: CVE-2011-0082

JSON object: View

NVD Information

Status : Modified

Published: 2011-06-06T19:55:01.317

Modified: 2017-09-19T01:31:53.707

Link: CVE-2011-0082

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2011-05-21T00:00:00", "descriptions": [{"lang": "en", "value": "The X.509 certificate validation functionality in Mozilla Firefox 4.0.x through 4.0.1 does not properly implement single-session security exceptions, which might make it easier for user-assisted remote attackers to spoof an SSL server via an untrusted certificate that triggers potentially unwanted local caching of documents from that server."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-18T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "48064", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/48064"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=709165"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627552"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=660749"}, {"name": "[oss-security] 20110531 Re: CVE request: firefox doesn't (re)validate certificates when loading HTTPS page", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2011/05/31/18"}, {"name": "[oss-security] 20110531 CVE request: firefox doesn't (re)validate certificates when loading HTTPS page", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2011/05/31/4"}, {"name": "oval:org.mitre.oval:def:14145", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14145"}, {"name": "[oss-security] 20110531 Re: CVE request: firefox doesn't (re)validate certificates when loading HTTPS page", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2011/05/31/14"}, {"name": "[oss-security] 20110531 Re: CVE request: firefox doesn't (re)validate certificates when loading HTTPS page", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2011/05/31/9"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2011-0082", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The X.509 certificate validation functionality in Mozilla Firefox 4.0.x through 4.0.1 does not properly implement single-session security exceptions, which might make it easier for user-assisted remote attackers to spoof an SSL server via an untrusted certificate that triggers potentially unwanted local caching of documents from that server."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "48064", "refsource": "BID", "url": "http://www.securityfocus.com/bid/48064"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=709165", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=709165"}, {"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627552", "refsource": "CONFIRM", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627552"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=660749", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=660749"}, {"name": "[oss-security] 20110531 Re: CVE request: firefox doesn't (re)validate certificates when loading HTTPS page", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2011/05/31/18"}, {"name": "[oss-security] 20110531 CVE request: firefox doesn't (re)validate certificates when loading HTTPS page", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2011/05/31/4"}, {"name": "oval:org.mitre.oval:def:14145", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14145"}, {"name": "[oss-security] 20110531 Re: CVE request: firefox doesn't (re)validate certificates when loading HTTPS page", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2011/05/31/14"}, {"name": "[oss-security] 20110531 Re: CVE request: firefox doesn't (re)validate certificates when loading HTTPS page", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2011/05/31/9"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2011-0082", "datePublished": "2011-06-06T19:00:00", "dateReserved": "2010-12-21T00:00:00", "dateUpdated": "2017-09-18T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "C69962C4-FA56-47F2-82A4-DFF4C19DAF3A", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:4.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "B7BC1684-3634-4585-B7E6-8C8777E1DA0D", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:4.0:beta10:*:*:*:*:*:*", "matchCriteriaId": "A490D040-EF74-45C2-89ED-D88ADD222712", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:4.0:beta11:*:*:*:*:*:*", "matchCriteriaId": "6CDA17D1-CD93-401E-860C-7C3291FEEB7E", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:4.0:beta12:*:*:*:*:*:*", "matchCriteriaId": "6F72FDE3-54E0-48E4-9015-1B8A36DB1EC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:4.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "4062C901-3828-415B-A6C3-EDD0E7B20C0E", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:4.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "CC0D8730-7034-4AD6-9B05-F8BAFB0145EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:4.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "857AFB05-F0C1-4061-9680-9561D68C908F", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:4.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "EC37EBAF-C979-4ACC-ACA9-BDC2AECCB0D7", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:4.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "80801CD8-EEAF-4BC4-9085-DCCC6CF73076", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:4.0:beta7:*:*:*:*:*:*", "matchCriteriaId": "FAF4C78A-5093-4871-AF69-A8E8FD7E1AAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:4.0:beta8:*:*:*:*:*:*", "matchCriteriaId": "560AD4C7-89D2-4323-BBCC-A89EEB6832CB", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:4.0:beta9:*:*:*:*:*:*", "matchCriteriaId": "6B389CBC-4F6C-4C17-A87B-A6DD92703A10", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:4.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "DDFBA043-91BC-4FB5-A34D-FCE1A9C65A88", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The X.509 certificate validation functionality in Mozilla Firefox 4.0.x through 4.0.1 does not properly implement single-session security exceptions, which might make it easier for user-assisted remote attackers to spoof an SSL server via an untrusted certificate that triggers potentially unwanted local caching of documents from that server."}, {"lang": "es", "value": "La funcionalidad de validaci\u00f3n de certificados X.509 de Mozilla Firefox 4.0.x hasta la 4.0.1 no implementa apropiadamente las excepciones de seguridad de \"single-session\", lo que facilita a atacantes remotos asistidos por el usuario falsificar un servidor SSL a trav\u00e9s de un certificado no confiable que provoca el cacheo, potencialmente no deseado, de documentos del servidor."}], "id": "CVE-2011-0082", "lastModified": "2017-09-19T01:31:53.707", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2011-06-06T19:55:01.317", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627552"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://openwall.com/lists/oss-security/2011/05/31/14"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://openwall.com/lists/oss-security/2011/05/31/18"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://openwall.com/lists/oss-security/2011/05/31/4"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://openwall.com/lists/oss-security/2011/05/31/9"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/48064"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=660749"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=709165"}, {"source": "cve@mitre.org", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14145"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}