CVE-2014-1557

CVSS V2 High 9.3 CVSS V3 None
Description
The ConvolveHorizontally function in Skia, as used in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, does not properly handle the discarding of image data during function execution, which allows remote attackers to execute arbitrary code by triggering prolonged image scaling, as demonstrated by scaling of a high-quality image.
Overview
  • CVE ID
  • CVE-2014-1557
  • Assigner
  • security@mozilla.org
  • Vulnerability Status
  • Modified
  • Published Version
  • 2014-07-23T11:12:43
  • Last Modified Date
  • 2017-01-07T02:59:39
Weakness Enumerations
CWE URL
CWE-94 http://cwe.mitre.org/data/definitions/94.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* 1 OR 30.0
cpe:2.3:a:mozilla:firefox_esr:24.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox_esr:24.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox_esr:24.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox_esr:24.1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox_esr:24.1.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox_esr:24.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox_esr:24.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox_esr:24.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox_esr:24.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox_esr:24.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* 1 OR 24.6
cpe:2.3:a:mozilla:thunderbird:24.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:thunderbird:24.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:thunderbird:24.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:thunderbird:24.1.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:thunderbird:24.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:thunderbird:24.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:thunderbird:24.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:thunderbird:24.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:N/C:C/I:C/A:C
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • COMPLETE
  • Integrity Impact
  • COMPLETE
  • Availability Impact
  • COMPLETE
  • Base Score
  • 9.3
  • Severity
  • HIGH
  • Exploitability Score
  • 8.6
  • Impact Score
  • 10
References
Reference URL Reference Tags
http://www.mozilla.org/security/announce/2014/mfsa2014-64.html Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=913805 Issue Tracking
http://www.debian.org/security/2014/dsa-2986 Third Party Advisory
http://www.debian.org/security/2014/dsa-2996 Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html Third Party Advisory
https://security.gentoo.org/glsa/201504-01
http://www.securitytracker.com/id/1030620
http://www.securitytracker.com/id/1030619
http://www.securityfocus.com/bid/68824
http://secunia.com/advisories/60628
http://secunia.com/advisories/60621
http://secunia.com/advisories/60486
http://secunia.com/advisories/60306
http://secunia.com/advisories/60083
http://secunia.com/advisories/59760
http://secunia.com/advisories/59719
http://secunia.com/advisories/59591
http://linux.oracle.com/errata/ELSA-2014-0918.html
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2014-1557
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1557
History
Created Old Value New Value Data Type Notes
2022-05-10 09:51:16 Added to TrackCVE
2022-12-02 00:02:11 2014-07-23T11:12Z 2014-07-23T11:12:43 CVE Published Date updated
2022-12-02 00:02:11 2017-01-07T02:59:39 CVE Modified Date updated
2022-12-02 00:02:11 Modified Vulnerability Status updated