Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-5284

Опубликовано: 20 сент. 2016
Источник: redhat
CVSS3: 7.4
CVSS2: 5.1
EPSS Низкий

Описание

Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5thunderbirdNot affected
Red Hat Enterprise Linux 6thunderbirdNot affected
Red Hat Enterprise Linux 7thunderbirdNot affected
Red Hat Enterprise Linux 5firefoxFixedRHSA-2016:191221.09.2016
Red Hat Enterprise Linux 6firefoxFixedRHSA-2016:191221.09.2016
Red Hat Enterprise Linux 7firefoxFixedRHSA-2016:191221.09.2016

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
https://bugzilla.redhat.com/show_bug.cgi?id=1377565Mozilla: Add-on update site certificate pin expiration (MFSA 2016-85, MFSA 2016-86)

EPSS

Процентиль: 63%
0.00462
Низкий

7.4 High

CVSS3

5.1 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2016-5284

CVSS3: 7.4
ubuntu
почти 9 лет назад

Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.

nvd логотип

CVE-2016-5284

CVSS3: 7.4
nvd
почти 9 лет назад

Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.

debian логотип

CVE-2016-5284

CVSS3: 7.4
debian
почти 9 лет назад

Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunder ...

github логотип

GHSA-2fqh-hxv3-hqmx

CVSS3: 7.4
github
больше 3 лет назад

Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.

fstec логотип

BDU:2021-04197

CVSS3: 7.4
fstec
почти 9 лет назад

Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, существующая из-за недостаточной проверки входных данных, позволяющая нарушителю подделывать обновления надстроек

EPSS

Процентиль: 63%
0.00462
Низкий

7.4 High

CVSS3

5.1 Medium

CVSS2