CVE-2014-1595

Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, and Thunderbird before 31.3 on Apple OS X 10.10 omit a CoreGraphics disable-logging action that is needed by jemalloc-based applications, which allows local users to obtain sensitive information by reading /tmp files, as demonstrated by credential information.

CVSS v2.0 2.1 LOW

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
http://support.apple.com/HT204244
http://www.mozilla.org/security/announce/2014/mfsa2014-90.html	Vendor Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.reddit.com/r/netsec/comments/2ocxac/apple_coregraphics_framework_on_os_x_1010_is/
https://bugzilla.mozilla.org/show_bug.cgi?id=1092855

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:mozilla:firefox_esr:31.0:::::::*
	cpe:2.3:a:mozilla:firefox_esr:31.1.0:::::::*
	cpe:2.3:a:mozilla:firefox_esr:31.1.1:::::::*
	cpe:2.3:a:mozilla:firefox_esr:31.2:::::::*

cpe:2.3:o:apple:mac_os_x:10.10.0:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

cpe:2.3:o:apple:mac_os_x:10.10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

cpe:2.3:o:apple:mac_os_x:10.10.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2014-12-11 11:59

Updated : 2024-02-28 12:20

NVD link : CVE-2014-1595

Mitre link : CVE-2014-1595

CVE.ORG link : CVE-2014-1595

JSON object : View

Products Affected

mozilla

firefox
firefox_esr
thunderbird

apple

mac_os_x

CWE

CWE-199

Information Management Errors

{"id": "CVE-2014-1595", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-12-11T11:59:09.243", "references": [{"url": "http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html", "source": "security@mozilla.org"}, {"url": "http://support.apple.com/HT204244", "source": "security@mozilla.org"}, {"url": "http://www.mozilla.org/security/announce/2014/mfsa2014-90.html", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", "source": "security@mozilla.org"}, {"url": "http://www.reddit.com/r/netsec/comments/2ocxac/apple_coregraphics_framework_on_os_x_1010_is/", "source": "security@mozilla.org"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1092855", "source": "security@mozilla.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-199"}]}], "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, and Thunderbird before 31.3 on Apple OS X 10.10 omit a CoreGraphics disable-logging action that is needed by jemalloc-based applications, which allows local users to obtain sensitive information by reading /tmp files, as demonstrated by credential information."}, {"lang": "es", "value": "Mozilla Firefox anterior a 34.0, Firefox ESR 31.x anterior a 31.3, y Thunderbird anterior a 31.3 en Apple OS X 10.10 omiten una acci\u00f3n del registro de la deshabilitaci\u00f3n de CoreGraphics que es necesario para las aplicaciones basadas en jemalloc, lo que permite a usuarios locales obtener informaci\u00f3n sensible mediante la lectura de ficheros /tmp, tal y como fue demostrado por la informaci\u00f3n de credenciales."}], "lastModified": "2016-10-04T02:01:14.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox_esr:31.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "992DDB6B-F32C-4E80-B386-EB1643D079E4"}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:31.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19837144-FBCC-4B36-BAF4-FCD9F9C2AAE5"}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:31.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0DB1BAA-3729-48BD-A8D0-5BBF3D4ABDE6"}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:31.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7DCA6959-24B7-4F86-BE25-0A8A7C1A3D13"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:mac_os_x:10.10.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C8A2286E-9D1C-4B56-8B40-150201B818AF"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9806D62C-E276-47AB-8675-8A3952D14B21", "versionEndIncluding": "31.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:mac_os_x:10.10.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C8A2286E-9D1C-4B56-8B40-150201B818AF"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A24FFC6-737A-4EA6-88EB-5A80DC2DC8D6", "versionEndIncluding": "33.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:mac_os_x:10.10.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C8A2286E-9D1C-4B56-8B40-150201B818AF"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@mozilla.org"}