CVE-2016-9074 — Sensitive Information Exposure in Mozilla Firefox

CWE-200 — Sensitive Information Exposure CWE-385 — Covert Timing Channel9 documents7 sources

Severity

5.9MEDIUMNVD

OSV7.5

EPSS

1.2%

top 20.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird +4 more

Timeline

PublishedJun 11

Latest updateMay 14

Description

An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages9 packages

▶CVEListV5mozilla/firefoxunspecified — 50

▶NVDmozilla/firefox< 45.5.0+1

▶debiandebian/firefox-esr< firefox-esr 45.5.0esr-1 (bookworm)

▶CVEListV5mozilla/firefox_esrunspecified — 45.5

▶CVEListV5mozilla/thunderbirdunspecified — 45.5

Also affects: Debian Linux 8.0

🔴Vulnerability Details

GHSA

GHSA-wwm5-654g-jj42: An existing mitigation of timing side-channel attacks is insufficient in some circumstances↗2022-05-14

▶

OSV

CVE-2016-9074: An existing mitigation of timing side-channel attacks is insufficient in some circumstances↗2018-06-11

▶

OSV

nss vulnerabilities↗2017-01-04

▶

📋Vendor Advisories

Ubuntu

NSS vulnerabilities↗2017-01-04

▶

Red Hat

nss: Insufficient timing side-channel resistance in divSpoiler↗2016-11-15

▶

Debian

CVE-2016-9074: firefox-esr - An existing mitigation of timing side-channel attacks is insufficient in some ci...↗2016

▶

💬Community

Bugzilla

CVE-2016-9074 nss: Insufficient timing side-channel resistance in divSpoiler [fedora-all]↗2016-11-18

▶

Bugzilla

CVE-2016-9074 nss: Insufficient timing side-channel resistance in divSpoiler↗2016-11-18

▶