CVE-2008-2801

HIGH

Description

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly implement JAR signing, which allows remote attackers to execute arbitrary code via (1) injection of JavaScript into documents within a JAR archive or (2) a JAR archive that uses relative URLs to JavaScript files.

References

http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.html

http://rhn.redhat.com/errata/RHSA-2008-0616.html

http://secunia.com/advisories/30878

http://secunia.com/advisories/30898

http://secunia.com/advisories/30903

http://secunia.com/advisories/30911

http://secunia.com/advisories/30949

http://secunia.com/advisories/31005

http://secunia.com/advisories/31008

http://secunia.com/advisories/31021

http://secunia.com/advisories/31023

http://secunia.com/advisories/31069

http://secunia.com/advisories/31076

http://secunia.com/advisories/31183

http://secunia.com/advisories/31195

http://secunia.com/advisories/31377

http://secunia.com/advisories/33433

http://secunia.com/advisories/34501

http://security.gentoo.org/glsa/glsa-200808-03.xml

http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.383152

http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.384911

http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1

http://wiki.rpath.com/Advisories:rPSA-2008-0216

http://www.debian.org/security/2008/dsa-1607

http://www.debian.org/security/2008/dsa-1615

http://www.debian.org/security/2009/dsa-1697

http://www.mandriva.com/security/advisories?name=MDVSA-2008:136

http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15

http://www.mozilla.org/security/announce/2008/mfsa2008-23.html

http://www.redhat.com/support/errata/RHSA-2008-0547.html

http://www.redhat.com/support/errata/RHSA-2008-0549.html

http://www.redhat.com/support/errata/RHSA-2008-0569.html

http://www.securityfocus.com/archive/1/494080/100/0/threaded

http://www.securityfocus.com/bid/30038

http://www.securitytracker.com/id?1020419

http://www.ubuntu.com/usn/usn-619-1

http://www.vupen.com/english/advisories/2008/1993/references

http://www.vupen.com/english/advisories/2009/0977

https://bugzilla.mozilla.org/show_bug.cgi?id=418996

https://bugzilla.mozilla.org/show_bug.cgi?id=424188

https://bugzilla.mozilla.org/show_bug.cgi?id=424426

https://issues.rpath.com/browse/RPL-2646

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11810

https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00207.html

https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00288.html

https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00295.html

Details

Source: MITRE

Published: 2008-07-07

Updated: 2018-10-11

Type: CWE-287

Risk Information

CVSS v2.0

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH