CVE-2008-2785 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2008-2785

CVE-2008-2785

June 19, 2008

Mozilla Firefox before 2.0.0.16 and 3.x before 3.0.1, Thunderbird before 2.0.0.16, and SeaMonkey before 1.1.11 use an incorrect integer data type as a CSS object reference counter in the CSSValue array (aka nsCSSValue:Array) data structure, which allows remote attackers to execute arbitrary code via a large number of references to a common CSS object, leading to a counter overflow and a free of in-use memory, aka ZDI-CAN-349.

Related Resources (62)

https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00672.html

http://secunia.com/advisories/31195

http://secunia.com/advisories/31403

http://secunia.com/advisories/31220

http://www.debian.org/security/2008/dsa-1615

http://secunia.com/advisories/31183

https://issues.rpath.com/browse/RPL-2683

http://secunia.com/advisories/31144

http://www.securityfocus.com/bid/29802

https://exchange.xforce.ibmcloud.com/vulnerabilities/43167

http://secunia.com/advisories/31253

http://rhn.redhat.com/errata/RHSA-2008-0616.html

http://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.380974

http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0238

http://www.ubuntu.com/usn/usn-626-1

https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00125.html

http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1

http://www.ubuntu.com/usn/usn-629-1

http://secunia.com/advisories/31270

http://secunia.com/advisories/31154

https://access.redhat.com/security/cve/CVE-2008-2785

http://www.redhat.com/support/errata/RHSA-2008-0599.html

http://www.mozilla.org/security/announce/2008/mfsa2008-34.html

http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.410484

http://secunia.com/advisories/31122

http://www.mandriva.com/security/advisories?name=MDVSA-2008:148

http://secunia.com/advisories/31129

http://www.securityfocus.com/archive/1/494504/100/0/threaded

http://www.redhat.com/support/errata/RHSA-2008-0597.html

https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00667.html

http://secunia.com/advisories/30761

http://secunia.com/advisories/33433

http://www.securitytracker.com/id?1020336

https://bugzilla.mozilla.org/show_bug.cgi?id=440230

http://secunia.com/advisories/31157

http://www.ubuntu.com/usn/usn-623-1

http://www.securityfocus.com/archive/1/494860/100/0/threaded

http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30

http://www.mandriva.com/security/advisories?name=MDVSA-2008:155

http://www.zerodayinitiative.com/advisories/ZDI-08-044/

http://secunia.com/advisories/31145

http://www.debian.org/security/2008/dsa-1621

http://www.redhat.com/support/errata/RHSA-2008-0598.html

http://secunia.com/advisories/31121

http://secunia.com/advisories/31261

http://www.debian.org/security/2009/dsa-1697

http://www.debian.org/security/2008/dsa-1614

http://www.vupen.com/english/advisories/2009/0977

http://security.gentoo.org/glsa/glsa-200808-03.xml

https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00144.html

http://secunia.com/advisories/31377

http://www.ubuntu.com/usn/usn-626-2

http://www.vupen.com/english/advisories/2008/1873

http://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.380767

http://secunia.com/advisories/31176

https://people.canonical.com/~ubuntu-security/cve/CVE-2008-2785

http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=InfoDocument-patchbuilder-readme5031400

http://secunia.com/advisories/31306

http://secunia.com/advisories/34501

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9900

http://blog.mozilla.com/security/2008/06/18/new-security-issue-under-investigation/

http://secunia.com/advisories/31286

Do you need more information?

CVSS v4

Base Score:

9.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

CVSS v2

Base Score:

9.3

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

EPSS

Base Score:

9.52