CVE-2016-9064Improper Certificate Validation in Mozilla Firefox

CWE-295Improper Certificate Validation8 documents7 sources
Severity
5.9MEDIUMNVD
OSV9.8
EPSS
0.3%
top 49.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mozilla FirefoxMozilla Firefox ESRDebian Firefox+1 more
Timeline
PublishedJun 11
Latest updateMay 14

Description

Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update. This vulnerability affects Firefox ESR < 45.5 and Firefox < 50.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages6 packages

debiandebian/firefox< firefox 50.0-1 (sid)
CVEListV5mozilla/firefoxunspecified50
NVDmozilla/firefox< 45.5.0+1
debiandebian/firefox-esr< firefox 50.0-1 (sid)
CVEListV5mozilla/firefox_esrunspecified45.5

Patches

Patch: bugzilla.mozilla.orgPatch: bugzilla.mozilla.org

🔴Vulnerability Details

3
GHSA
GHSA-pc4v-68rv-24q5: Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated2022-05-14
OSV
CVE-2016-9064: Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated2018-06-11
OSV
firefox vulnerabilities2016-11-19

📋Vendor Advisories

3
Ubuntu
Firefox vulnerabilities2016-11-19
Red Hat
Mozilla: Addons update must verify IDs match between current and new versions (MFSA 2016-89, MFSA 2016-90)2016-11-16
Debian
CVE-2016-9064: firefox - Add-on updates failed to verify that the add-on ID inside the signed package mat...2016

💬Community

1
Bugzilla
CVE-2016-9064 Mozilla: Addons update must verify IDs match between current and new versions (MFSA 2016-89, MFSA 2016-90)2016-11-15