CVE-2015-7183
Vulnerability Summary
Timeline
Description
Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors.
CVSS Metrics
- v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 4.70%• Percentile: 90%
Techniques & Countermeasures
- CWE-119•Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
- CWE-189•Numeric Errors
Weaknesses in this category are related to improper calculation or conversion of numbers.
Affected Systems
- mozilla•firefox
≤ 41.0.2 | 38.0 | 38.0.1 | 38.0.5 | 38.1.0 | 38.1.1 | 38.2.0 | 38.2.1 | 38.3.0
- mozilla•network_security_services
≤ 3.19.2.0 | 3.20.0
References (34)
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://www.securitytracker.com/id/1034069
- https://bto.bluecoat.com/security-advisory/sa119
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html
- https://security.gentoo.org/glsa/201512-10
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00021.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=1205157
- http://www.debian.org/security/2015/dsa-3406
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00037.html
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20.1_release_notes
- http://www.ubuntu.com/usn/USN-2785-1
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://rhn.redhat.com/errata/RHSA-2015-1981.html
- http://www.ubuntu.com/usn/USN-2819-1
- http://www.securityfocus.com/bid/77415
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.securityfocus.com/bid/91787
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.4_release_notes
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html
- http://rhn.redhat.com/errata/RHSA-2015-1980.html
- http://www.ubuntu.com/usn/USN-2790-1
- http://www.debian.org/security/2015/dsa-3393
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.2.1_release_notes
- http://packetstormsecurity.com/files/134268/Slackware-Security-Advisory-mozilla-nss-Updates.html
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00049.html
- https://security.gentoo.org/glsa/201605-06
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.399753
- http://www.mozilla.org/security/announce/2015/mfsa2015-133.html
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00020.html