CVE-2015-2743

PDF.js in Mozilla Firefox before 39.0 and Firefox ESR 31.x before 31.8 and 38.x before 38.1 enables excessive privileges for internal Workers, which might allow remote attackers to execute arbitrary code by leveraging a Same Origin Policy bypass.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html
http://rhn.redhat.com/errata/RHSA-2015-1207.html
http://www.debian.org/security/2015/dsa-3300
http://www.mozilla.org/security/announce/2015/mfsa2015-69.html	Vendor Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html	Third Party Advisory
http://www.securityfocus.com/bid/75541
http://www.securitytracker.com/id/1032783
http://www.ubuntu.com/usn/USN-2656-1
http://www.ubuntu.com/usn/USN-2656-2
https://bugzilla.mozilla.org/show_bug.cgi?id=1163109	Issue Tracking
https://security.gentoo.org/glsa/201512-10

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:firefox:31.0:::::::*
	cpe:2.3:a:mozilla:firefox:31.1.0:::::::*
	cpe:2.3:a:mozilla:firefox:31.1.1:::::::*
	cpe:2.3:a:mozilla:firefox:31.3.0:::::::*
	cpe:2.3:a:mozilla:firefox:31.5.1:::::::*
	cpe:2.3:a:mozilla:firefox:31.5.2:::::::*
	cpe:2.3:a:mozilla:firefox:31.5.3:::::::*
	cpe:2.3:a:mozilla:firefox:38.0:::::::*
	cpe:2.3:a:mozilla:firefox_esr:31.1:::::::*
	cpe:2.3:a:mozilla:firefox_esr:31.2:::::::*
	cpe:2.3:a:mozilla:firefox_esr:31.3:::::::*
	cpe:2.3:a:mozilla:firefox_esr:31.4:::::::*
	cpe:2.3:a:mozilla:firefox_esr:31.5:::::::*
	cpe:2.3:a:mozilla:firefox_esr:31.6.0:::::::*
	cpe:2.3:a:mozilla:firefox_esr:31.7.0:::::::*

Configuration 2 (hide)

cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:a:novell:suse_linux_enterprise_software_development_kit:12.0:::::::*
	cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0:::::::*
	cpe:2.3:o:novell:suse_linux_enterprise_server:11:sp4::::::
	cpe:2.3:o:novell:suse_linux_enterprise_server:12.0:::::::*

History

22 Oct 2024, 13:54

Type	Values Removed	Values Added
CPE	cpe:2.3:a:mozilla:firefox_esr:31.5.1:::::::* cpe:2.3:a:mozilla:firefox_esr:38.0:::::::*	cpe:2.3:a:mozilla:firefox:31.5.1:::::::* cpe:2.3:a:mozilla:firefox:38.0:::::::*

21 Oct 2024, 13:55

Type	Values Removed	Values Added
CPE	cpe:2.3:a:mozilla:firefox_esr:31.1.0:::::::* cpe:2.3:a:mozilla:firefox_esr:31.0:::::::*	cpe:2.3:a:mozilla:firefox:31.0:::::::* cpe:2.3:a:mozilla:firefox:31.1.0:::::::*

21 Oct 2024, 13:11

Type	Values Removed	Values Added
CPE	cpe:2.3:a:mozilla:firefox_esr:31.5.3:::::::* cpe:2.3:a:mozilla:firefox_esr:31.5.2:::::::* cpe:2.3:a:mozilla:firefox_esr:31.1.1:::::::* cpe:2.3:a:mozilla:firefox_esr:31.3.0:::::::*	cpe:2.3:a:mozilla:firefox:31.5.2:::::::* cpe:2.3:a:mozilla:firefox:31.3.0:::::::* cpe:2.3:a:mozilla:firefox:31.1.1:::::::* cpe:2.3:a:mozilla:firefox:31.5.3:::::::*

12 Sep 2023, 14:55

Type	Values Removed	Values Added
CPE	cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:12.0:::::::*	cpe:2.3:a:novell:suse_linux_enterprise_software_development_kit:12.0:::::::*

Information

Published : 2015-07-06 02:01

Updated : 2024-10-22 13:54

NVD link : CVE-2015-2743

Mitre link : CVE-2015-2743

CVE.ORG link : CVE-2015-2743

JSON object : View

Products Affected

mozilla

firefox
firefox_esr

novell

suse_linux_enterprise_software_development_kit
suse_linux_enterprise_server
suse_linux_enterprise_desktop

oracle

solaris

CWE

CWE-17

DEPRECATED: Code

7.5 /10