CVE-2013-0798

Mozilla Firefox before 20.0 on Android uses world-writable and world-readable permissions for the app_tmp installation directory in the local filesystem, which allows attackers to modify add-ons before installation via an application that leverages the time window during which app_tmp is used.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00013.html
http://www.mozilla.org/security/announce/2013/mfsa2013-33.html	Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=844832

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:firefox:19.0:::::::*
	cpe:2.3:a:mozilla:firefox:19.0.1:::::::*

cpe:2.3:o:google:android:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2013-04-03 11:56

Updated : 2024-02-28 12:00

NVD link : CVE-2013-0798

Mitre link : CVE-2013-0798

CVE.ORG link : CVE-2013-0798

JSON object : View

Products Affected

mozilla

firefox

google

android

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2013-0798", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2013-04-03T11:56:21.257", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00013.html", "source": "security@mozilla.org"}, {"url": "http://www.mozilla.org/security/announce/2013/mfsa2013-33.html", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=844832", "source": "security@mozilla.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 20.0 on Android uses world-writable and world-readable permissions for the app_tmp installation directory in the local filesystem, which allows attackers to modify add-ons before installation via an application that leverages the time window during which app_tmp is used."}, {"lang": "es", "value": "Mozilla Firefox antes de v20.0 en Android usa permisos de escritura y lectura globales para el la carpeta de instalaci\u00f3n app_tmp en el sistema de ficheros local, lo que permite a los atacantes modificar complementos antes de la instalaci\u00f3n a trav\u00e9s del manejo del tiempo de ventana mientras el app_tmp es usado."}], "lastModified": "2013-06-05T03:41:24.207", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D59284EC-92C2-467A-866B-DC315B4A4450", "versionEndIncluding": "19.0.2"}, {"criteria": "cpe:2.3:a:mozilla:firefox:19.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "06FF9DFE-491D-4260-8A49-07FD342B9412"}, {"criteria": "cpe:2.3:a:mozilla:firefox:19.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE09D089-7F48-466B-B03A-C64152A12615"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:android:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8255F035-04C8-4158-B301-82101711939C"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@mozilla.org"}