| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 9.0 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Mozilla Firefox. It has been rated as critical. Affected by this issue is some unknown functionality of the component Layout Engine. The manipulation leads to resource management. This vulnerability is listed as CVE-2008-5500. The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is advised.
Details
A vulnerability was found in Mozilla Firefox (Web Browser) and classified as very critical. This issue affects an unknown function of the component Layout Engine. The manipulation with an unknown input leads to a resource management vulnerability. Using CWE to declare the problem leads to CWE-399. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
The layout engine in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via vectors related to (1) a reachable assertion or (2) an integer overflow.
The weakness was presented 12/17/2008 by Jesse Ruderman (moz_bug_r_a4) as Bug 464998 as confirmed bug report (Bugzilla). It is possible to read the advisory at bugzilla.mozilla.org. The identification of this vulnerability is CVE-2008-5500 since 12/12/2008. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 08/03/2021).
It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 67777 (Oracle Linux 4 / 5 : firefox (ELSA-2008-1036)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Oracle Linux Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 165625 (SUSE Enterprise Linux Security Update Mozilla (SUSE-SA:2009:002)).
Upgrading to version 1.0.9 eliminates this vulnerability.
The vulnerability is also documented in the databases at X-Force (47406), Tenable (67777), SecurityFocus (BID 32882†), Secunia (SA33231†) and SecurityTracker (ID 1021417†). See VDB-45575, VDB-45574, VDB-45573 and VDB-45572 for similar entries. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Type
Vendor
Name
Version
- 2.0
- 2.0.0.1
- 2.0.0.2
- 2.0.0.3
- 2.0.0.4
- 2.0.0.5
- 2.0.0.6
- 2.0.0.7
- 2.0.0.8
- 2.0.0.9
- 2.0.0.10
- 2.0.0.11
- 2.0.0.12
- 2.0.0.13
- 2.0.0.14
- 2.0.0.15
- 2.0.0.16
- 2.0.0.17
- 2.0.0.18
- 3.0
- 3.0.1
- 3.0.2
- 3.0.3
- 3.0.4
License
Website
- Vendor: https://www.mozilla.org/
- Product: https://www.mozilla.org/en-US/firefox/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 10.0VulDB Meta Temp Score: 9.0
VulDB Base Score: 10.0
VulDB Temp Score: 9.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Resource managementCWE: CWE-399 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 67777
Nessus Name: Oracle Linux 4 / 5 : firefox (ELSA-2008-1036)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 63143
OpenVAS Name: Debian Security Advisory DSA 1696-1 (icedove)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Firefox 1.0.9
PaloAlto IPS: 🔍
Timeline
12/12/2008 🔍12/16/2008 🔍
12/16/2008 🔍
12/17/2008 🔍
12/17/2008 🔍
12/17/2008 🔍
12/18/2008 🔍
12/18/2008 🔍
07/12/2013 🔍
03/17/2015 🔍
08/03/2021 🔍
Sources
Vendor: mozilla.orgProduct: mozilla.org
Advisory: Bug 464998
Researcher: Jesse Ruderman (moz_bug_r_a4)
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2008-5500 (🔍)
GCVE (CVE): GCVE-0-2008-5500
GCVE (VulDB): GCVE-100-45563
OVAL: 🔍
X-Force: 47406
SecurityFocus: 32882 - Mozilla Firefox/Thunderbird/SeaMonkey Multiple Remote Vulnerabilities
Secunia: 33231 - Ubuntu update for firefox, Highly Critical
SecurityTracker: 1021417 - Mozilla Firefox Bugs in JavaScript Engine and Layout Engine May Let Remote Users Execute Arbitrary Code
Vulnerability Center: 20259 - Mozilla Firefox, Thunderbird, SeaMonkey Layout Engine Integer Overflow Remote DoS or Code Execution, Medium
Vupen: ADV-2009-0977
See also: 🔍
Entry
Created: 03/17/2015 16:11Updated: 08/03/2021 15:59
Changes: 03/17/2015 16:11 (71), 04/13/2017 12:26 (19), 08/03/2021 15:59 (3)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.