Mozilla Firefox ESR < 52.7 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 700335
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox ESR earlier than 52.7 are unpatched for the following vulnerabilities :

- An overflow condition exists that is triggered when handling SVG animatedPathSegList attributes. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code.
- A flaw exists in 'netwerk/protocol/http/HttpBaseChannel.cpp' that is triggered as local copies of resources that were sent with a no-store or no-cache header may be returned by the 'fetch()' API. This allows a local attacker to gain access to potentially sensitive information.
- An out-of-bounds write flaw exists that is triggered when handling plane widths and stride constraints in IPC messages. This may allow a context-dependent attacker to bypass sandbox restrictions.
- A flaw exists in the 'JsepTrack::NegotiateCodecs()' function in 'media/webrtc/signaling/src/jsep/JsepTrack.cpp' that is triggered when handling RTP payload types in WebRTC connections. With specially crafted packets, a context-dependent attacker can corrupt memory and potentially execute arbitrary code.
- An integer overflow condition exists that is triggered as certain length parameters are not properly validated during conversion of text to unicode character sets. This may allow a context-dependent attacker to have an unspecified impact.
- A use-after-free condition exists in 'layout/base/nsDocumentViewer.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that is triggered when handling HTTP/2 streams. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A type confusion flaw exists in the 'EventStateManager::NotifyMouseOver()' function in 'dom/events/EventStateManager.cpp' that is triggered when handling mouseover events. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'JSStructuredCloneReader::readHeader()' function in 'vm/StructuredClone.cpp' that is triggered when handling structured clone data. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'jit::MakeMRegExpHoistable()' function in 'jit/IonAnalysis.cpp' that is triggered when optimization for regular expressions. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A type confusion flaw exists in the 'JSObject::setFlags()' function in 'vm/Shape.cpp' that is triggered when checking for dictionary mode. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'vpx_codec_enc_init_multi_ver()' function in 'vpx_encoder.c' that is triggered when handling memory during early exits. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that is related to document renderer handling. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An arithmetic flaw exists in the 'nsTextFrame::GetRenderedText()' function in 'layout/generic/nsTextFrame.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists in the EditorBase destructor in 'editor/libeditor/EditorBase.cpp' that is triggered when unlinking cycle collectors. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An out-of-bounds write flaw exists in 'vp9/encoder/x86/vp9_quantize_ssse3_x86_64.asm' that is triggered when handling memory 'pointers.This' may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsDocumentEncoder::SerializeToStringRecursive()' function in 'dom/base/nsDocumentEncoder.cpp' that is triggered when serializing DOM nodes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An out-of-bounds write flaw exists in the 'vorbis_book_decodevs_add()', 'vorbis_book_decodev_add()', and 'vorbis_book_decodevv_add()' functions in 'codebook.c' that is triggered when decoding codebooks from Vorbis audio data. This may allow a context-dependent attacker to corrupt memory and execute arbitrary code.

Solution

Upgrade to Firefox ESR version 52.7 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2018-07

Plugin Details

Severity: High

ID: 700335

Family: Web Clients

Published: 8/21/2018

Updated: 11/6/2019

Dependencies: 9131

Nessus ID: 108376

Risk Information

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*

Patch Publication Date: 3/13/2018

Vulnerability Publication Date: 3/1/2018

Reference Information

CVE: CVE-2018-5146, CVE-2018-5125, CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5145, CVE-2018-5147

BID: 103388, 103384, 103432