CVE-2015-4495

EUVD-2015-4515
The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
Affected Products (NVD)
VendorProductVersion
mozillafirefox
𝑥
< 39.0.3
mozillafirefox
38.0 ≤
𝑥
< 38.1.1
mozillafirefox_os
𝑥
< 2.2
oraclesolaris
11.3
canonicalubuntu_linux
12.04
canonicalubuntu_linux
14.04
canonicalubuntu_linux
15.04
redhatenterprise_linux_desktop
5.0
redhatenterprise_linux_desktop
6.0
redhatenterprise_linux_desktop
7.0
redhatenterprise_linux_eus
6.7
redhatenterprise_linux_eus
7.1
redhatenterprise_linux_eus
7.2
redhatenterprise_linux_eus
7.3
redhatenterprise_linux_eus
7.4
redhatenterprise_linux_eus
7.5
redhatenterprise_linux_eus
7.6
redhatenterprise_linux_eus
7.7
redhatenterprise_linux_server
5.0
redhatenterprise_linux_server
6.0
redhatenterprise_linux_server
7.0
redhatenterprise_linux_server_aus
7.3
redhatenterprise_linux_server_aus
7.4
redhatenterprise_linux_server_aus
7.6
redhatenterprise_linux_server_aus
7.7
redhatenterprise_linux_server_tus
7.3
redhatenterprise_linux_server_tus
7.6
redhatenterprise_linux_server_tus
7.7
redhatenterprise_linux_workstation
5.0
redhatenterprise_linux_workstation
6.0
redhatenterprise_linux_workstation
7.0
opensuseopensuse
13.1
opensuseopensuse
13.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pdf.js
bookworm
2.14.305+dfsg-2
fixed
bullseye
2.6.347+dfsg-3
fixed
jessie
not-affected
sid
2.14.305+dfsg-4
fixed
squeeze
not-affected
trixie
2.14.305+dfsg-4
fixed
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
precise
Fixed 39.0.3+build2-0ubuntu0.12.04.1
released
trusty
Fixed 39.0.3+build2-0ubuntu0.14.04.1
released
vivid
Fixed 39.0.3+build2-0ubuntu0.15.04.1
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00009.html
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00016.html
http://rhn.redhat.com/errata/RHSA-2015-1581.html
http://www.mozilla.org/security/announce/2015/mfsa2015-78.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securityfocus.com/bid/76249
http://www.securitytracker.com/id/1033216
http://www.ubuntu.com/usn/USN-2707-1
https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
https://bugzilla.mozilla.org/show_bug.cgi?id=1178058
https://bugzilla.mozilla.org/show_bug.cgi?id=1179262
https://security.gentoo.org/glsa/201512-10
https://www.exploit-db.com/exploits/37772/
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00009.html
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00016.html
http://rhn.redhat.com/errata/RHSA-2015-1581.html
http://www.mozilla.org/security/announce/2015/mfsa2015-78.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securityfocus.com/bid/76249
http://www.securitytracker.com/id/1033216
http://www.ubuntu.com/usn/USN-2707-1
https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
https://bugzilla.mozilla.org/show_bug.cgi?id=1178058
https://bugzilla.mozilla.org/show_bug.cgi?id=1179262
https://security.gentoo.org/glsa/201512-10
https://www.exploit-db.com/exploits/37772/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-4495