Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-9064

Опубликовано: 16 нояб. 2016
Источник: redhat
CVSS3: 5.3
CVSS2: 4.3
EPSS Низкий

Описание

Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update. This vulnerability affects Firefox ESR < 45.5 and Firefox < 50.

A flaw was found in the way Add-on update process was handled by Firefox. A Man-in-the-Middle attacker could use this flaw to install a malicious signed add-on update.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5thunderbirdNot affected
Red Hat Enterprise Linux 6thunderbirdNot affected
Red Hat Enterprise Linux 7thunderbirdNot affected
Red Hat Enterprise Linux 5firefoxFixedRHSA-2016:278016.11.2016
Red Hat Enterprise Linux 6firefoxFixedRHSA-2016:278016.11.2016
Red Hat Enterprise Linux 7firefoxFixedRHSA-2016:278016.11.2016

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
https://bugzilla.redhat.com/show_bug.cgi?id=1395060Mozilla: Addons update must verify IDs match between current and new versions (MFSA 2016-89, MFSA 2016-90)

EPSS

Процентиль: 50%
0.00274
Низкий

5.3 Medium

CVSS3

4.3 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2016-9064

CVSS3: 5.9
ubuntu
около 7 лет назад

Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update. This vulnerability affects Firefox ESR < 45.5 and Firefox < 50.

nvd логотип

CVE-2016-9064

CVSS3: 5.9
nvd
около 7 лет назад

Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update. This vulnerability affects Firefox ESR < 45.5 and Firefox < 50.

debian логотип

CVE-2016-9064

CVSS3: 5.9
debian
около 7 лет назад

Add-on updates failed to verify that the add-on ID inside the signed p ...

github логотип

GHSA-pc4v-68rv-24q5

CVSS3: 5.9
github
больше 3 лет назад

Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update. This vulnerability affects Firefox ESR < 45.5 and Firefox < 50.

oracle-oval логотип

ELSA-2016-2780

oracle-oval
почти 9 лет назад

ELSA-2016-2780: firefox security update (CRITICAL)

EPSS

Процентиль: 50%
0.00274
Низкий

5.3 Medium

CVSS3

4.3 Medium

CVSS2