CVE-2015-0834 — Sensitive Information Exposure in Mozilla Firefox

CWE-200 — Sensitive Information Exposure CWE-319 — Cleartext Transmission of Sensitive Info9 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.5%

top 33.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Canonical Ubuntu Linux Opensuse

Timeline

PublishedFeb 25

Latest updateMay 14

Description

The WebRTC subsystem in Mozilla Firefox before 36.0 recognizes turns: and stuns: URIs but accesses the TURN or STUN server without using TLS, which makes it easier for man-in-the-middle attackers to discover credentials by spoofing a server and completing a brute-force attack within a short time window.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶Ubuntumozilla/firefox< 36.0+build2-0ubuntu0.14.04.4+1

▶NVDmozilla/firefox35.0.1+214

▶NVDopensuse/opensuse13.1, 13.2+1

Also affects: Ubuntu Linux 12.04, 14.04, 14.10

🔴Vulnerability Details

GHSA

GHSA-9cm2-qg89-qv3m: The WebRTC subsystem in Mozilla Firefox before 36↗2022-05-14

▶

OSV

firefox regression↗2015-03-09

▶

OSV

CVE-2015-0834: The WebRTC subsystem in Mozilla Firefox before 36↗2015-02-25

▶

OSV

firefox vulnerabilities↗2015-02-25

▶

📋Vendor Advisories

Ubuntu

Firefox regression↗2015-03-09

▶

Ubuntu

Firefox vulnerabilities↗2015-02-25

▶

Red Hat

Mozilla: TLS TURN and STUN connections silently fail to simple TCP connections (MFSA 2015-15)↗2015-02-24

▶

💬Community

Bugzilla

CVE-2015-0834 Mozilla: TLS TURN and STUN connections silently fail to simple TCP connections (MFSA 2015-15)↗2015-02-24

▶