Mozilla Firefox up to 3.0.5 HTTP Directive information disclosure

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.4 | $0-$5k | 0.00 |
Summary
A vulnerability labeled as problematic has been found in Mozilla Firefox up to 3.0.5. This vulnerability affects unknown code of the component HTTP Directive Handler. The manipulation results in information disclosure. This vulnerability is known as CVE-2009-0358. No exploit is available. The affected component should be upgraded.
Details
A vulnerability was found in Mozilla Firefox up to 3.0.5 (Web Browser). It has been classified as problematic. Affected is an unknown part of the component HTTP Directive Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality. CVE summarizes:
Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) no-store and (2) no-cache Cache-Control directives, which allows local users to obtain sensitive information by using the (a) back button or (b) history list of the victim s browser, as demonstrated by reading the response page of an https POST request.
The bug was discovered 02/03/2009. The weakness was published 02/04/2009 by Georgi Guninski (moz_bug_r_a4) with Mozilla (Website). The advisory is available at secunia.com. This vulnerability is traded as CVE-2009-0358 since 01/29/2009. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1592 by the MITRE ATT&CK project.
It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 35590 (CentOS 4 / 5 : firefox (CESA-2009:0256)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family CentOS Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 116184 (Mozilla Firefox/Thunderbird/SeaMonkey Multiple Vulnerabilities (MFSA 2009-01 to -06 RHSA-2009:0256 RHSA-2009:0257)).
Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (48464), Tenable (35590), SecurityFocus (BID 33598†), OSVDB (51925†) and Secunia (SA33799†). Similar entries are available at VDB-3928, VDB-3924, VDB-3929 and VDB-3925. If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.mozilla.org/
- Product: https://www.mozilla.org/en-US/firefox/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 3.7VulDB Meta Temp Score: 3.4
VulDB Base Score: 3.7
VulDB Temp Score: 3.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Information disclosureCWE: CWE-200 / CWE-284 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 35590
Nessus Name: CentOS 4 / 5 : firefox (CESA-2009:0256)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 63378
OpenVAS Name: Fedora Core 10 FEDORA-2009-1398 (xulrunner)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Timeline
01/29/2009 🔍02/03/2009 🔍
02/03/2009 🔍
02/03/2009 🔍
02/04/2009 🔍
02/04/2009 🔍
02/04/2009 🔍
02/04/2009 🔍
02/04/2009 🔍
02/04/2009 🔍
02/05/2009 🔍
02/05/2009 🔍
02/19/2009 🔍
08/26/2019 🔍
Sources
Vendor: mozilla.orgProduct: mozilla.org
Advisory: secunia.com⛔
Researcher: Georgi Guninski (moz_bug_r_a4)
Organization: Mozilla
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2009-0358 (🔍)
GCVE (CVE): GCVE-0-2009-0358
GCVE (VulDB): GCVE-100-3930
OVAL: 🔍
X-Force: 48464
SecurityFocus: 33598 - Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2009 -01 to -06 Multiple Remote Vulnerabilities
Secunia: 33799
OSVDB: 51925 - Mozilla Firefox Multiple Cache-Control Directives Local Information Disclosure
SecurityTracker: 1021667
Vulnerability Center: 20735 - Mozilla Firefox <3.0.6 HTTP Directives Local Information Disclosure Vulnerability, Low
Vupen: ADV-2009-0313
See also: 🔍
Entry
Created: 02/19/2009 17:15Updated: 08/26/2019 16:01
Changes: 02/19/2009 17:15 (96), 08/26/2019 16:01 (2)
Complete: 🔍
Cache ID: 216::103
If you want to get best quality of vulnerability data, you may have to visit VulDB.
No comments yet. Languages: en.
Please log in to comment.