CVE-2016-2830 - OpenCVE

Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 preserve the network connection used for favicon resource retrieval after the associated browser window is closed, which makes it easier for remote web servers to track users by observing network traffic from multiple IP addresses.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mozilla	Firefox Esr Firefox

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:firefox_esr:45.1.0:::::::*
	cpe:2.3:a:mozilla:firefox_esr:45.1.1:::::::*
	cpe:2.3:a:mozilla:firefox_esr:45.2.0:::::::*
	cpe:2.3:a:mozilla:firefox_esr:45.3.0:::::::*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.html
http://rhn.redhat.com/errata/RHSA-2016-1551.html
http://www.debian.org/security/2016/dsa-3640
http://www.mozilla.org/security/announce/2016/mfsa2016-63.html	Vendor Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
http://www.securityfocus.com/bid/92261
http://www.securitytracker.com/id/1036508
http://www.ubuntu.com/usn/USN-3044-1
https://bugzilla.mozilla.org/show_bug.cgi?id=1255270	Issue Tracking Permissions Required
https://security.gentoo.org/glsa/201701-15

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mozilla

Published: 2016-08-05T01:00:00

Updated: 2017-08-15T09:57:01

Reserved: 2016-03-01T00:00:00

Link: CVE-2016-2830

JSON object: View

NVD Information

Status : Modified

Published: 2016-08-05T01:59:00.140

Modified: 2017-08-16T01:29:06.337

Link: CVE-2016-2830

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-08-02T00:00:00", "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 preserve the network connection used for favicon resource retrieval after the associated browser window is closed, which makes it easier for remote web servers to track users by observing network traffic from multiple IP addresses."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-15T09:57:01", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"name": "DSA-3640", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3640"}, {"name": "1036508", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1036508"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"}, {"name": "USN-3044-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-3044-1"}, {"name": "RHSA-2016:1551", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1551.html"}, {"name": "GLSA-201701-15", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201701-15"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1255270"}, {"name": "openSUSE-SU-2016:1964", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html"}, {"name": "92261", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/92261"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.mozilla.org/security/announce/2016/mfsa2016-63.html"}, {"name": "openSUSE-SU-2016:2026", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2016-2830", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 preserve the network connection used for favicon resource retrieval after the associated browser window is closed, which makes it easier for remote web servers to track users by observing network traffic from multiple IP addresses."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-3640", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3640"}, {"name": "1036508", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1036508"}, {"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"}, {"name": "USN-3044-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-3044-1"}, {"name": "RHSA-2016:1551", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-1551.html"}, {"name": "GLSA-201701-15", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201701-15"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1255270", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1255270"}, {"name": "openSUSE-SU-2016:1964", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html"}, {"name": "92261", "refsource": "BID", "url": "http://www.securityfocus.com/bid/92261"}, {"name": "http://www.mozilla.org/security/announce/2016/mfsa2016-63.html", "refsource": "CONFIRM", "url": "http://www.mozilla.org/security/announce/2016/mfsa2016-63.html"}, {"name": "openSUSE-SU-2016:2026", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.html"}]}}}}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2016-2830", "datePublished": "2016-08-05T01:00:00", "dateReserved": "2016-03-01T00:00:00", "dateUpdated": "2017-08-15T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "1456CC69-6E37-4C75-8D9A-172ED8A571EB", "versionEndIncluding": "47.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:45.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "B877383B-F7B3-433F-B7B0-2B1C731504F2", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:45.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "4F18C6F4-5C04-4E4B-A2CC-29C5338F0CD1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:45.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "BD9B460C-3328-44DC-AA80-EDE2E46AF787", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:45.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "BD5D9DC4-4D18-4491-BE90-CAE21CA1AA96", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 preserve the network connection used for favicon resource retrieval after the associated browser window is closed, which makes it easier for remote web servers to track users by observing network traffic from multiple IP addresses."}, {"lang": "es", "value": "Mozilla Firefox en versiones anteriores a 48.0 y Firefox ESR 45.x en versiones anteriores a 45.3 conserva la conexi\u00f3n de red usada para la recuperaci\u00f3n de recursos favicon despu\u00e9s de que la ventana del navegador asociado se cierre, lo que facilita a servidores web remotos rastrear usuarios mediante la observaci\u00f3n de tr\u00e1fico de red desde m\u00faltiples direcciones IP."}], "id": "CVE-2016-2830", "lastModified": "2017-08-16T01:29:06.337", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-08-05T01:59:00.140", "references": [{"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html"}, {"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.html"}, {"source": "security@mozilla.org", "url": "http://rhn.redhat.com/errata/RHSA-2016-1551.html"}, {"source": "security@mozilla.org", "url": "http://www.debian.org/security/2016/dsa-3640"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "http://www.mozilla.org/security/announce/2016/mfsa2016-63.html"}, {"source": "security@mozilla.org", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"}, {"source": "security@mozilla.org", "url": "http://www.securityfocus.com/bid/92261"}, {"source": "security@mozilla.org", "url": "http://www.securitytracker.com/id/1036508"}, {"source": "security@mozilla.org", "url": "http://www.ubuntu.com/usn/USN-3044-1"}, {"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1255270"}, {"source": "security@mozilla.org", "url": "https://security.gentoo.org/glsa/201701-15"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}