CVE-2015-4495

Impact:
Important
Public Date:
2015-08-06
Bugzilla:
1251318: CVE-2015-4495 Mozilla: Same origin violation and local file stealing via PDF reader (MFSA 2015-78)
A flaw was discovered in Mozilla Firefox that could be used to violate the same-origin policy and inject web script into a non-privileged part of the built-in PDF file viewer (PDF.js). An attacker could create a malicious web page that, when viewed by a victim, could steal arbitrary files (including private SSH keys, the /etc/passwd file, and other potentially sensitive files) from the system running Firefox.

Find out more about CVE-2015-4495 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 5 (firefox) RHSA-2015:1581 2015-08-07
Red Hat Enterprise Linux 6 (firefox) RHSA-2015:1581 2015-08-07
Red Hat Enterprise Linux 7 (firefox) RHSA-2015:1581 2015-08-07

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 7 thunderbird Not affected
Red Hat Enterprise Linux 6 thunderbird Not affected
Red Hat Enterprise Linux 5 thunderbird Not affected

Acknowledgements

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Cody Crews as the original reporter.

Mitigation

External References

Last Modified