CVE-2014-1564
published 2014-09-03CVE-2014-1564: Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 do not properly initialize memory for GIF rendering, which allows…
PriorityP424medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
5.46%
91.8th percentile
Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 do not properly initialize memory for GIF rendering, which allows remote attackers to obtain sensitive information from process memory via crafted web script that interacts with a CANVAS element associated with a malformed GIF image.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | <= 31.1.0 | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 32.0+build1-0ubuntu0.14.04.1 | 32.0+build1-0ubuntu0.14.04.1 |
| mozilla | thunderbird | — | — |
| mozilla | thunderbird | >= 0 < 1:31.1.1+build1-0ubuntu0.14.04.1 | 1:31.1.1+build1-0ubuntu0.14.04.1 |
| opensuse | evergreen | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv10.0CRITICAL
vendor_ubuntu10.0CRITICAL
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cmpx-j54c-xj6j: Mozilla Firefox before 32
ghsa_unreviewed·2022-05-14
CVE-2014-1564 [MEDIUM] CWE-824 GHSA-cmpx-j54c-xj6j: Mozilla Firefox before 32
Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 do not properly initialize memory for GIF rendering, which allows remote attackers to obtain sensitive information from process memory via crafted web script that interacts with a CANVAS element associated with a malformed GIF image.
OSV
thunderbird vulnerabilities
osv·2014-09-11·CVSS 10.0
CVE-2014-1553 [CRITICAL] thunderbird vulnerabilities
thunderbird vulnerabilities
Jan de Mooij, Christian Holler, Karl Tomlinson, Randell Jesup, Gary Kwong,
Jesse Ruderman and JW Wang discovered multiple memory safety issues in
Thunderbird. If a user were tricked in to opening a specially crafted
message with scripting enabled, an attacker could potentially exploit
these to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2014-1553, CVE-2014-1562)
Abhishek Arya discovered a use-after-free during DOM interactions with
SVG. If a user were tricked in to opening a specially crafted message
with scripting enabled, an attacker could potentially exploit this to
cause a denial of service via application crash or execute arbitrary code
with the privileges of the use
OSV
firefox vulnerabilities
osv·2014-09-02·CVSS 10.0
CVE-2014-1553 [CRITICAL] firefox vulnerabilities
firefox vulnerabilities
Jan de Mooij, Christian Holler, Karl Tomlinson, Randell Jesup, Gary Kwong,
Jesse Ruderman, JW Wang and David Weir discovered multiple memory safety
issues in Firefox. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit these to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2014-1553,
CVE-2014-1554, CVE-2014-1562)
Abhishek Arya discovered a use-after-free during DOM interactions with
SVG. If a user were tricked in to opening a specially crafted page, an
attacker could potentially exploit this to cause a denial of service via
application crash or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2014-1563
OSV
CVE-2014-1564: Mozilla Firefox before 32
osv·2014-09-02·CVSS 4.3
CVE-2014-1564 [MEDIUM] CVE-2014-1564: Mozilla Firefox before 32
Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 do not properly initialize memory for GIF rendering, which allows remote attackers to obtain sensitive information from process memory via crafted web script that interacts with a CANVAS element associated with a malformed GIF image.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2014-09-11·CVSS 10.0
CVE-2014-1553 [CRITICAL] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Jan de Mooij, Christian Holler, Karl Tomlinson, Randell Jesup, Gary Kwong,
Jesse Ruderman and JW Wang discovered multiple memory safety issues in
Thunderbird. If a user were tricked in to opening a specially crafted
message with scripting enabled, an attacker could potentially exploit
these to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2014-1553, CVE-2014-1562)
Abhishek Arya discovered a use-after-free during DOM interactions with
SVG. If a user were tricked in to opening a specially crafted message
with scripting enabled, an attacker could potentially exploit this to
cause a denial of service via applic
Red Hat
Mozilla: Uninitialized memory use during GIF rendering (MFSA 2014-69)
vendor_redhat·2014-09-03·CVSS 4.3
CVE-2014-1564 [MEDIUM] Mozilla: Uninitialized memory use during GIF rendering (MFSA 2014-69)
Mozilla: Uninitialized memory use during GIF rendering (MFSA 2014-69)
Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 do not properly initialize memory for GIF rendering, which allows remote attackers to obtain sensitive information from process memory via crafted web script that interacts with a CANVAS element associated with a malformed GIF image.
Statement: This issue does not affect the version of firefox and thunderbird as shipped with Red Hat Enterprise Linux 5, 6 and 7.
Package: firefox (Red Hat Enterprise Linux 5) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 5) - Not affected
Package: firefox (Red Hat Enterprise Linux 6) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 6) - Not affected
Package: firefo
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2014-09-02·CVSS 10.0
CVE-2014-1553 [CRITICAL] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Jan de Mooij, Christian Holler, Karl Tomlinson, Randell Jesup, Gary Kwong,
Jesse Ruderman, JW Wang and David Weir discovered multiple memory safety
issues in Firefox. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit these to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2014-1553,
CVE-2014-1554, CVE-2014-1562)
Abhishek Arya discovered a use-after-free during DOM interactions with
SVG. If a user were tricked in to opening a specially crafted page, an
attacker could potentially exploit this to cause a denial of service
No detection rules found.
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00024.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.htmlhttp://lists.opensuse.org/opensuse-updates/2014-09/msg00011.htmlhttp://packetstormsecurity.com/files/128132/Mozilla-Firefox-Secret-Leak.htmlhttp://seclists.org/fulldisclosure/2014/Sep/18http://secunia.com/advisories/60148http://secunia.com/advisories/61114http://www.mozilla.org/security/announce/2014/mfsa2014-69.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.securityfocus.com/archive/1/533357/100/0/threadedhttp://www.securityfocus.com/bid/69525http://www.securitytracker.com/id/1030793http://www.securitytracker.com/id/1030794https://bugzilla.mozilla.org/show_bug.cgi?id=1045977https://security.gentoo.org/glsa/201504-01http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00024.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.htmlhttp://lists.opensuse.org/opensuse-updates/2014-09/msg00011.htmlhttp://packetstormsecurity.com/files/128132/Mozilla-Firefox-Secret-Leak.htmlhttp://seclists.org/fulldisclosure/2014/Sep/18http://secunia.com/advisories/60148http://secunia.com/advisories/61114http://www.mozilla.org/security/announce/2014/mfsa2014-69.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.securityfocus.com/archive/1/533357/100/0/threadedhttp://www.securityfocus.com/bid/69525http://www.securitytracker.com/id/1030793http://www.securitytracker.com/id/1030794https://bugzilla.mozilla.org/show_bug.cgi?id=1045977https://security.gentoo.org/glsa/201504-01
2014-09-03
Published