Unsafe library loading vulnerabilities — Mozilla

2010-10-1900:00:00

Mozilla Foundation

www.mozilla.org

CVSS2

6.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

EPSS

Percentile

14.2%

JSON

Mozilla developer Ehsan Akhgari reported that a function used to load external libraries on Windows platforms was using a relative path to a DLL-loading application and was thus vulnerable to binary planting if an attacker was able to place an executable of the same name in the current working directory or any of the other locations that Windows searches for executables.

Affected configurations

Vulners

Node

mozillafirefoxRange<3.5.14

mozillafirefoxRange<3.6.11

mozillaseamonkeyRange<2.0.9

mozillathunderbirdRange<3.0.9

mozillathunderbirdRange<3.1.5

VendorProductVersionCPE
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
mozillaseamonkey*cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
mozillathunderbird*cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	firefox	*	cpe:2.3:a:mozilla:firefox::::::::
mozilla	seamonkey	*	cpe:2.3:a:mozilla:seamonkey::::::::
mozilla	thunderbird	*	cpe:2.3:a:mozilla:thunderbird::::::::