CVE-2016-5284Improper Input Validation in Firefox

CWE-20Improper Input Validation11 documents7 sources
Severity
7.4HIGHNVD
OSV6.5OSV4.3
EPSS
0.5%
top 32.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mozilla FirefoxMozilla ThunderbirdDebian Firefox+1 more
Timeline
PublishedSep 22
Latest updateMay 14

Description

Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:NExploitability: 2.8 | Impact: 4.0

Affected Packages5 packages

Ubuntumozilla/firefox< 49.0+build4-0ubuntu0.14.04.1+1
NVDmozilla/firefox48.0.2+6
Ubuntumozilla/thunderbird< 1:45.4.0+build1-0ubuntu0.14.04.1+1
debiandebian/firefox< firefox 49.0-1 (sid)
debiandebian/firefox-esr< firefox 49.0-1 (sid)

🔴Vulnerability Details

4
GHSA
GHSA-2fqh-hxv3-hqmx: Mozilla Firefox before 492022-05-14
OSV
thunderbird vulnerabilities2016-10-27
OSV
CVE-2016-5284: Mozilla Firefox before 492016-09-22
OSV
firefox vulnerabilities2016-09-22

📋Vendor Advisories

4
Ubuntu
Thunderbird vulnerabilities2016-10-27
Ubuntu
Firefox vulnerabilities2016-09-22
Red Hat
Mozilla: Add-on update site certificate pin expiration (MFSA 2016-85, MFSA 2016-86)2016-09-20
Debian
CVE-2016-5284: firefox - Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45....2016

💬Community

2
Bugzilla
CVE-2016-5284 Mozilla: Add-on update site certificate pin expiration (MFSA 2016-85, MFSA 2016-86)2016-09-20
Bugzilla
ESR-45/Tor Browser certificate pinning bypass for addons.mozilla.org and other built-in sites2016-09-15