CVE-2015-4497 - OpenCVE

Use-after-free vulnerability in the CanvasRenderingContext2D implementation in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to execute arbitrary code by leveraging improper interaction between resize events and changes to Cascading Style Sheets (CSS) token sequences for a CANVAS element.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Mozilla	Firefox Esr Firefox

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:40.0.2:::::::*
	cpe:2.3:a:mozilla:firefox_esr:38.0:::::::*
	cpe:2.3:a:mozilla:firefox_esr:38.0.1:::::::*
	cpe:2.3:a:mozilla:firefox_esr:38.0.5:::::::*
	cpe:2.3:a:mozilla:firefox_esr:38.1.0:::::::*
	cpe:2.3:a:mozilla:firefox_esr:38.2.0:::::::*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00013.html
http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html
http://lists.opensuse.org/opensuse-updates/2015-09/msg00000.html
http://rhn.redhat.com/errata/RHSA-2015-1693.html
http://www.debian.org/security/2015/dsa-3345
http://www.mozilla.org/security/announce/2015/mfsa2015-94.html	Vendor Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securityfocus.com/bid/76502
http://www.securitytracker.com/id/1033397
http://www.ubuntu.com/usn/USN-2723-1
http://www.zerodayinitiative.com/advisories/ZDI-15-406
https://bugzilla.mozilla.org/show_bug.cgi?id=1164766
https://bugzilla.mozilla.org/show_bug.cgi?id=1175278

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mozilla

Published: 2015-08-29T19:00:00

Updated: 2016-12-20T16:57:01

Reserved: 2015-06-10T00:00:00

Link: CVE-2015-4497

JSON object: View

NVD Information

Status : Modified

Published: 2015-08-29T19:59:00.123

Modified: 2016-12-22T02:59:54.710

Link: CVE-2015-4497

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-08-27T00:00:00", "descriptions": [{"lang": "en", "value": "Use-after-free vulnerability in the CanvasRenderingContext2D implementation in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to execute arbitrary code by leveraging improper interaction between resize events and changes to Cascading Style Sheets (CSS) token sequences for a CANVAS element."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-20T16:57:01", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-94.html"}, {"name": "DSA-3345", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3345"}, {"name": "SUSE-SU-2015:2081", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html"}, {"name": "USN-2723-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2723-1"}, {"tags": ["x_refsource_MISC"], "url": "http://www.zerodayinitiative.com/advisories/ZDI-15-406"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1175278"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"name": "SUSE-SU-2015:1504", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00013.html"}, {"name": "openSUSE-SU-2015:1492", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00000.html"}, {"name": "76502", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/76502"}, {"name": "RHSA-2015:1693", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1693.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1164766"}, {"name": "1033397", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1033397"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2015-4497", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Use-after-free vulnerability in the CanvasRenderingContext2D implementation in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to execute arbitrary code by leveraging improper interaction between resize events and changes to Cascading Style Sheets (CSS) token sequences for a CANVAS element."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.mozilla.org/security/announce/2015/mfsa2015-94.html", "refsource": "CONFIRM", "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-94.html"}, {"name": "DSA-3345", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3345"}, {"name": "SUSE-SU-2015:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html"}, {"name": "USN-2723-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2723-1"}, {"name": "http://www.zerodayinitiative.com/advisories/ZDI-15-406", "refsource": "MISC", "url": "http://www.zerodayinitiative.com/advisories/ZDI-15-406"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1175278", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1175278"}, {"name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"name": "SUSE-SU-2015:1504", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00013.html"}, {"name": "openSUSE-SU-2015:1492", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00000.html"}, {"name": "76502", "refsource": "BID", "url": "http://www.securityfocus.com/bid/76502"}, {"name": "RHSA-2015:1693", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-1693.html"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1164766", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1164766"}, {"name": "1033397", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1033397"}]}}}}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2015-4497", "datePublished": "2015-08-29T19:00:00", "dateReserved": "2015-06-10T00:00:00", "dateUpdated": "2016-12-20T16:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:40.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "59E90F00-714E-4F60-877D-1ED031C81622", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:38.0:*:*:*:*:*:*:*", "matchCriteriaId": "7A1DD76B-7682-4F61-B274-115D8A9B5306", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:38.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "332589F6-C6DB-4204-97FA-B60105BBF146", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:38.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "A04D6EAE-C709-4752-976E-DB15EE6E85B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:38.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "FE52B8E3-3BA8-46DB-948E-958739FE91B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:38.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "B50189A6-C058-46EA-9BE8-9D01E304D518", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Use-after-free vulnerability in the CanvasRenderingContext2D implementation in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to execute arbitrary code by leveraging improper interaction between resize events and changes to Cascading Style Sheets (CSS) token sequences for a CANVAS element."}, {"lang": "es", "value": "Vulnerabilidad de uso despu\u00e9s de liberaci\u00f3n de memoria en la implementaci\u00f3n de CanvasRenderingContext2D en Mozilla Firefox en versiones anteriores a 40.0.3 y Firefox ESR 38.x en versiones anteriores a 38.2.1, permite a atacantes remotos ejecutar c\u00f3digo arbitrario mediante el aprovechamiento de la interacci\u00f3n inadecuada entre los eventos de cambio de tama\u00f1o y los cambios en las secuencias de token Cascading Style Sheets (CSS) para un elemento CANVAS."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/416.html\">CWE-416: Use After Free</a>", "id": "CVE-2015-4497", "lastModified": "2016-12-22T02:59:54.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-08-29T19:59:00.123", "references": [{"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00013.html"}, {"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html"}, {"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00000.html"}, {"source": "security@mozilla.org", "url": "http://rhn.redhat.com/errata/RHSA-2015-1693.html"}, {"source": "security@mozilla.org", "url": "http://www.debian.org/security/2015/dsa-3345"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-94.html"}, {"source": "security@mozilla.org", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"source": "security@mozilla.org", "url": "http://www.securityfocus.com/bid/76502"}, {"source": "security@mozilla.org", "url": "http://www.securitytracker.com/id/1033397"}, {"source": "security@mozilla.org", "url": "http://www.ubuntu.com/usn/USN-2723-1"}, {"source": "security@mozilla.org", "url": "http://www.zerodayinitiative.com/advisories/ZDI-15-406"}, {"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1164766"}, {"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1175278"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}