CVE-2015-4477 - OpenCVE

Use-after-free vulnerability in the MediaStream playback feature in Mozilla Firefox before 40.0 allows remote attackers to execute arbitrary code via unspecified use of the Web Audio API.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Canonical	Ubuntu Linux
Mozilla	Firefox
Opensuse	Opensuse

Configuration 1 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:15.04:::::::*
	cpe:2.3:o:opensuse:opensuse:13.1:::::::*
	cpe:2.3:o:opensuse:opensuse:13.2:::::::*

Configuration 2 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00089.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00091.html
http://www.mozilla.org/security/announce/2015/mfsa2015-81.html	Vendor Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securitytracker.com/id/1033247
http://www.ubuntu.com/usn/USN-2702-1
http://www.ubuntu.com/usn/USN-2702-2
http://www.ubuntu.com/usn/USN-2702-3
https://bugzilla.mozilla.org/show_bug.cgi?id=1179484
https://security.gentoo.org/glsa/201605-06

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mozilla

Published: 2015-08-16T01:00:00

Updated: 2016-12-22T18:57:01

Reserved: 2015-06-10T00:00:00

Link: CVE-2015-4477

JSON object: View

NVD Information

Status : Modified

Published: 2015-08-16T01:59:04.613

Modified: 2018-10-30T16:27:35.843

Link: CVE-2015-4477

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-08-11T00:00:00", "descriptions": [{"lang": "en", "value": "Use-after-free vulnerability in the MediaStream playback feature in Mozilla Firefox before 40.0 allows remote attackers to execute arbitrary code via unspecified use of the Web Audio API."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-22T18:57:01", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"name": "openSUSE-SU-2016:0894", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00091.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-81.html"}, {"name": "USN-2702-3", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2702-3"}, {"name": "openSUSE-SU-2015:1389", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00014.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1179484"}, {"name": "openSUSE-SU-2016:0876", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00089.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"name": "1033247", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1033247"}, {"name": "USN-2702-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2702-2"}, {"name": "USN-2702-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2702-1"}, {"name": "GLSA-201605-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201605-06"}, {"name": "openSUSE-SU-2015:1390", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00015.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2015-4477", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Use-after-free vulnerability in the MediaStream playback feature in Mozilla Firefox before 40.0 allows remote attackers to execute arbitrary code via unspecified use of the Web Audio API."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2016:0894", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00091.html"}, {"name": "http://www.mozilla.org/security/announce/2015/mfsa2015-81.html", "refsource": "CONFIRM", "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-81.html"}, {"name": "USN-2702-3", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2702-3"}, {"name": "openSUSE-SU-2015:1389", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00014.html"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1179484", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1179484"}, {"name": "openSUSE-SU-2016:0876", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00089.html"}, {"name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"name": "1033247", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1033247"}, {"name": "USN-2702-2", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2702-2"}, {"name": "USN-2702-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2702-1"}, {"name": "GLSA-201605-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201605-06"}, {"name": "openSUSE-SU-2015:1390", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00015.html"}]}}}}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2015-4477", "datePublished": "2015-08-16T01:00:00", "dateReserved": "2015-06-10T00:00:00", "dateUpdated": "2016-12-22T18:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*", "matchCriteriaId": "F38D3B7E-8429-473F-BB31-FC3583EE5A5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "40AB4FC4-00EA-4C4E-81D8-170BD068B28B", "versionEndIncluding": "39.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Use-after-free vulnerability in the MediaStream playback feature in Mozilla Firefox before 40.0 allows remote attackers to execute arbitrary code via unspecified use of the Web Audio API."}, {"lang": "es", "value": "Vulnerabilidad de uso despu\u00e9s de liberaci\u00f3n en la memoria en la funcionalidad de MediaStream playback de Mozilla Firefox en versiones anteriores a 40.0, permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de un uso no especificado de la API de Web Audio."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/416.html\">CWE-416: Use After Free</a>", "id": "CVE-2015-4477", "lastModified": "2018-10-30T16:27:35.843", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-08-16T01:59:04.613", "references": [{"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00014.html"}, {"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00015.html"}, {"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00089.html"}, {"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00091.html"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-81.html"}, {"source": "security@mozilla.org", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"source": "security@mozilla.org", "url": "http://www.securitytracker.com/id/1033247"}, {"source": "security@mozilla.org", "url": "http://www.ubuntu.com/usn/USN-2702-1"}, {"source": "security@mozilla.org", "url": "http://www.ubuntu.com/usn/USN-2702-2"}, {"source": "security@mozilla.org", "url": "http://www.ubuntu.com/usn/USN-2702-3"}, {"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1179484"}, {"source": "security@mozilla.org", "url": "https://security.gentoo.org/glsa/201605-06"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}