CVE-2008-5021
UnknownEPSS 3.63%
Last modified
CVE-2008-5021 is a vulnerability of currently unknown severity. nsFrameManager in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by modifying properties of a file input element while it is still being initialized, then using the blur method to access uninitialized memory.. EPSS estimates a 3.63% chance of exploitation in the next 30 days.
Description
nsFrameManager in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by modifying properties of a file input element while it is still being initialized, then using the blur method to access uninitialized memory.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Mozilla | Firefox | >= 2.0, < 2.0.0.18 | — |
| Mozilla | Firefox | >= 3.0, < 3.0.4 | — |
| Mozilla | Seamonkey | >= 1.0, < 1.1.13 | — |
| Mozilla | Thunderbird | >= 2.0, < 2.0.0.18 | — |
| Debian | Debian Linux | 4.0 | — |
| Canonical | Ubuntu Linux | 6.06 | — |
| Canonical | Ubuntu Linux | 7.10 | — |
| Canonical | Ubuntu Linux | 8.04 | — |
| Canonical | Ubuntu Linux | 8.10 | — |
| Fedoraproject | Fedora | 8 | — |
| Fedoraproject | Fedora | 9 | — |
| Suse | Linux Enterprise Debuginfo | 10 | Sp2 |
| Novell | Linux Desktop | 9 | — |
| Novell | Open Enterprise Server | All versions | — |
| Opensuse | Opensuse | 10.2 | — |
| Opensuse | Opensuse | 10.3 | — |
| Opensuse | Opensuse | 11.0 | — |
| Suse | Linux Enterprise Desktop | 10 | — |
| Suse | Linux Enterprise Server | 9 | — |
| Suse | Linux Enterprise Server | 10 | Sp1 |
| Suse | Linux Enterprise Software Development Kit | 10 | Sp1 |
References
- http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00004.htmlMailing List, Third Party Advisory
- http://secunia.com/advisories/32684Broken Link, Third Party Advisory
- http://secunia.com/advisories/32693Broken Link, Third Party Advisory
- http://secunia.com/advisories/32694Broken Link, Third Party Advisory
- http://secunia.com/advisories/32695Broken Link, Third Party Advisory
- http://secunia.com/advisories/32713Broken Link, Third Party Advisory
- http://secunia.com/advisories/32714Broken Link, Third Party Advisory
- http://secunia.com/advisories/32715Broken Link, Third Party Advisory
- http://secunia.com/advisories/32721Broken Link, Third Party Advisory
- http://secunia.com/advisories/32778Broken Link, Third Party Advisory
- http://secunia.com/advisories/32798Broken Link, Third Party Advisory
- http://secunia.com/advisories/32845Broken Link, Third Party Advisory
- http://secunia.com/advisories/32853Broken Link, Third Party Advisory
- http://secunia.com/advisories/33433Broken Link, Third Party Advisory
- http://secunia.com/advisories/33434Broken Link, Third Party Advisory
- http://secunia.com/advisories/34501Broken Link, Third Party Advisory
- http://ubuntu.com/usn/usn-667-1Third Party Advisory
- http://www.debian.org/security/2008/dsa-1669Mailing List, Third Party Advisory
- http://www.debian.org/security/2008/dsa-1671Mailing List, Third Party Advisory
- http://www.debian.org/security/2009/dsa-1696Mailing List, Third Party Advisory
- http://www.debian.org/security/2009/dsa-1697Mailing List, Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:228Broken Link, Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:230Broken Link, Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:235Broken Link, Third Party Advisory
- http://www.redhat.com/support/errata/RHSA-2008-0976.htmlBroken Link, Third Party Advisory
- http://www.redhat.com/support/errata/RHSA-2008-0977.htmlBroken Link, Third Party Advisory
- http://www.redhat.com/support/errata/RHSA-2008-0978.htmlBroken Link, Third Party Advisory
- http://www.securityfocus.com/bid/32281Broken Link, Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1021186Broken Link, Third Party Advisory, VDB Entry
- http://www.us-cert.gov/cas/techalerts/TA08-319A.htmlThird Party Advisory, US Government Resource
- http://www.vupen.com/english/advisories/2008/3146Broken Link, Third Party Advisory
- http://www.vupen.com/english/advisories/2009/0977Broken Link, Third Party Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=460002Issue Tracking, Vendor Advisory
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9642Broken Link, Third Party Advisory
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.htmlMailing List, Third Party Advisory
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00385.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00004.htmlMailing List, Third Party Advisory
- http://secunia.com/advisories/32684Broken Link, Third Party Advisory
- http://secunia.com/advisories/32693Broken Link, Third Party Advisory
- http://secunia.com/advisories/32694Broken Link, Third Party Advisory
- http://secunia.com/advisories/32695Broken Link, Third Party Advisory
- http://secunia.com/advisories/32713Broken Link, Third Party Advisory
- http://secunia.com/advisories/32714Broken Link, Third Party Advisory
- http://secunia.com/advisories/32715Broken Link, Third Party Advisory
- http://secunia.com/advisories/32721Broken Link, Third Party Advisory
- http://secunia.com/advisories/32778Broken Link, Third Party Advisory
- http://secunia.com/advisories/32798Broken Link, Third Party Advisory
- http://secunia.com/advisories/32845Broken Link, Third Party Advisory
- http://secunia.com/advisories/32853Broken Link, Third Party Advisory
- http://secunia.com/advisories/33433Broken Link, Third Party Advisory
- http://secunia.com/advisories/33434Broken Link, Third Party Advisory
- http://secunia.com/advisories/34501Broken Link, Third Party Advisory
- http://ubuntu.com/usn/usn-667-1Third Party Advisory
- http://www.debian.org/security/2008/dsa-1669Mailing List, Third Party Advisory
- http://www.debian.org/security/2008/dsa-1671Mailing List, Third Party Advisory
- http://www.debian.org/security/2009/dsa-1696Mailing List, Third Party Advisory
- http://www.debian.org/security/2009/dsa-1697Mailing List, Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:228Broken Link, Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:230Broken Link, Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:235Broken Link, Third Party Advisory
- http://www.redhat.com/support/errata/RHSA-2008-0976.htmlBroken Link, Third Party Advisory
- http://www.redhat.com/support/errata/RHSA-2008-0977.htmlBroken Link, Third Party Advisory
- http://www.redhat.com/support/errata/RHSA-2008-0978.htmlBroken Link, Third Party Advisory
- http://www.securityfocus.com/bid/32281Broken Link, Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1021186Broken Link, Third Party Advisory, VDB Entry
- http://www.us-cert.gov/cas/techalerts/TA08-319A.htmlThird Party Advisory, US Government Resource
- http://www.vupen.com/english/advisories/2008/3146Broken Link, Third Party Advisory
- http://www.vupen.com/english/advisories/2009/0977Broken Link, Third Party Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=460002Issue Tracking, Vendor Advisory
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9642Broken Link, Third Party Advisory
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.htmlMailing List, Third Party Advisory
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00385.htmlMailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2008-5021?
nsFrameManager in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by modifying properties of a file input element while it is still being initialized, then using the blur method to access uninitialized memory.
How severe is CVE-2008-5021?
Severity scoring for CVE-2008-5021 is pending analysis. The EPSS model estimates a 3.63% probability of exploitation in the next 30 days.
How do I fix CVE-2008-5021?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2008-5021?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST