Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
0

CVE-2009-1837

Disclosure Date: June 12, 2009
CVE-2009-1837 CVSS v3 Base Score: 7.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Race condition in the NPObjWrapper_NewResolve function in modules/plugin/base/src/nsJSNPRuntime.cpp in xul.dll in Mozilla Firefox 3 before 3.0.11 might allow remote attackers to execute arbitrary code via a page transition during Java applet loading, related to a use-after-free vulnerability for memory associated with a destroyed Java object.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
5.9
Exploitability Score:
1.6
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • debian,
  • fedoraproject,
  • mozilla,
  • redhat

Products

  • debian linux 5.0,
  • enterprise linux 4.0,
  • enterprise linux 5.0,
  • enterprise linux desktop 4.0,
  • enterprise linux desktop 5.0,
  • enterprise linux eus 4.8,
  • enterprise linux eus 5.3,
  • enterprise linux server 4.0,
  • enterprise linux server 5.0,
  • enterprise linux server aus 5.3,
  • enterprise linux workstation 4.0,
  • enterprise linux workstation 5.0,
  • fedora 10,
  • fedora 9,
  • firefox

References

Canonical
CVE-2009-1837 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1837)
BID-35360 (http://www.securityfocus.com/bid/35360)
BID-35326 (http://www.securityfocus.com/bid/35326)
Advisory
ADV-2009-1572 (http://www.vupen.com/english/advisories/2009/1572)
http://www.mozilla.org/security/announce/2009/mfsa2009-28.html
SECUNIA-34241 (http://secunia.com/advisories/34241)
20090612 Secunia Research: Mozilla Firefox Java Applet Loading Vulnerability (http://www.securityfocus.com/archive/1/504260/100/0/threaded)
https://bugzilla.mozilla.org/show_bug.cgi?id=486269
FEDORA-2009-6411 (https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00657.html)
SECUNIA-35431 (http://secunia.com/advisories/35431)
SECUNIA-35331 (http://secunia.com/advisories/35331)
SECUNIA-35468 (http://secunia.com/advisories/35468)
FEDORA-2009-6366 (https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00574.html)
SECUNIA-35415 (http://secunia.com/advisories/35415)
https://rhn.redhat.com/errata/RHSA-2009-1095.html
SECTRACK-1022386 (http://www.securitytracker.com/id?1022386)
https://bugzilla.redhat.com/show_bug.cgi?id=503579
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10628
DSA-1820 (http://www.debian.org/security/2009/dsa-1820)
SUNALERT-264308 (http://sunsolve.sun.com/search/document.do?assetkey=1-66-264308-1)
Miscellaneous
http://secunia.com/secunia_research/2009-19
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.372468
http://secunia.com/secunia_research/2009-19/

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis