CVE-2016-2816 - OpenCVE

Mozilla Firefox before 46.0 allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via the multipart/x-mixed-replace content type.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mozilla	Firefox

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00005.html
http://lists.opensuse.org/opensuse-updates/2016-05/msg00038.html
http://www.mozilla.org/security/announce/2016/mfsa2016-45.html	Vendor Advisory
http://www.securitytracker.com/id/1035692
http://www.ubuntu.com/usn/USN-2936-1
http://www.ubuntu.com/usn/USN-2936-2
http://www.ubuntu.com/usn/USN-2936-3
https://bugzilla.mozilla.org/show_bug.cgi?id=1223743
https://security.gentoo.org/glsa/201701-15

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mozilla

Published: 2016-04-30T17:00:00

Updated: 2017-06-30T16:57:01

Reserved: 2016-03-01T00:00:00

Link: CVE-2016-2816

JSON object: View

NVD Information

Status : Modified

Published: 2016-04-30T17:59:13.647

Modified: 2017-07-01T01:29:40.890

Link: CVE-2016-2816

JSON object: View

Redhat Information

No data.

CWE

CWE-284

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-04-26T00:00:00", "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 46.0 allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via the multipart/x-mixed-replace content type."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-06-30T16:57:01", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"name": "openSUSE-SU-2016:1211", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00005.html"}, {"name": "1035692", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1035692"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.mozilla.org/security/announce/2016/mfsa2016-45.html"}, {"name": "openSUSE-SU-2016:1251", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-05/msg00038.html"}, {"name": "USN-2936-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2936-2"}, {"name": "GLSA-201701-15", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201701-15"}, {"name": "USN-2936-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2936-1"}, {"name": "USN-2936-3", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2936-3"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1223743"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2016-2816", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mozilla Firefox before 46.0 allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via the multipart/x-mixed-replace content type."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2016:1211", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00005.html"}, {"name": "1035692", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035692"}, {"name": "http://www.mozilla.org/security/announce/2016/mfsa2016-45.html", "refsource": "CONFIRM", "url": "http://www.mozilla.org/security/announce/2016/mfsa2016-45.html"}, {"name": "openSUSE-SU-2016:1251", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-05/msg00038.html"}, {"name": "USN-2936-2", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2936-2"}, {"name": "GLSA-201701-15", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201701-15"}, {"name": "USN-2936-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2936-1"}, {"name": "USN-2936-3", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2936-3"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1223743", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1223743"}]}}}}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2016-2816", "datePublished": "2016-04-30T17:00:00", "dateReserved": "2016-03-01T00:00:00", "dateUpdated": "2017-06-30T16:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "97000851-C511-487E-A5E8-FCB173D76624", "versionEndIncluding": "45.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 46.0 allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via the multipart/x-mixed-replace content type."}, {"lang": "es", "value": "Mozilla Firefox en versiones anteriores a 46.0 permite a atacantes remotos eludir el mecanismo de protecci\u00f3n Content Security Policy (CSP) a trav\u00e9s del tipo de contenido multipart/x-mixed-replace."}], "id": "CVE-2016-2816", "lastModified": "2017-07-01T01:29:40.890", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-04-30T17:59:13.647", "references": [{"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00005.html"}, {"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-updates/2016-05/msg00038.html"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "http://www.mozilla.org/security/announce/2016/mfsa2016-45.html"}, {"source": "security@mozilla.org", "url": "http://www.securitytracker.com/id/1035692"}, {"source": "security@mozilla.org", "url": "http://www.ubuntu.com/usn/USN-2936-1"}, {"source": "security@mozilla.org", "url": "http://www.ubuntu.com/usn/USN-2936-2"}, {"source": "security@mozilla.org", "url": "http://www.ubuntu.com/usn/USN-2936-3"}, {"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1223743"}, {"source": "security@mozilla.org", "url": "https://security.gentoo.org/glsa/201701-15"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}]}