CVE-2014-8643 : Mozilla Firefox before 35.0 on Windows allows remote attackers to bypass the Gecko Media Plugin (GMP) sandbox protection

Mozilla Firefox before 35.0 on Windows allows remote attackers to bypass the Gecko Media Plugin (GMP) sandbox protection mechanism by leveraging access to the GMP process, as demonstrated by the OpenH264 plugin's process.

Published 2015-01-14 11:59:12

Updated 2018-10-30 16:27:36

Source Mozilla Corporation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2014-8643

Probability of exploitation activity in the next 30 days: 0.94%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 81 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2014-8643

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.1	HIGH	AV:N/AC:M/Au:N/C:N/I:C/A:N	8.6	6.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Complete Availability Impact: None

CWE ids for CVE-2014-8643

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-8643

http://secunia.com/advisories/62253

Sign in

CVEs referencing this url
http://www.securityfocus.com/bid/72043

Mozilla Firefox Gecko Media Plugin Sandbox Security Bypass Vulnerability
https://bugzilla.mozilla.org/show_bug.cgi?id=1117140

1117140 - (CVE-2014-8643) GMP sandbox break-out on Windows through process handle
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

Oracle Solaris Bulletin - April 2016

CVEs referencing this url
http://www.securitytracker.com/id/1031533

Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Conduct Cross-Site Request Forgery Attacks, and Obtain Potentially Sensitive Information - SecurityTracker

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/99962

Mozilla Firefox Gecko Media Plugin security bypass CVE-2014-8643 Vulnerability Report
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html

[security-announce] openSUSE-SU-2015:0192-1: important: Security update

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html

[security-announce] openSUSE-SU-2015:0077-1: important: Security update

CVEs referencing this url
http://www.mozilla.org/security/announce/2014/mfsa2015-07.html

Gecko Media Plugin sandbox escape — Mozilla
Vendor Advisory

Products affected by CVE-2014-8643

Mozilla » Firefox
Versions up to, including, (<=) 34.0.5
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows
Opensuse » Opensuse » Version: 13.2
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
Matching versions
Opensuse » Opensuse » Version: 13.1
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2014-8643

Exploit prediction scoring system (EPSS) score for CVE-2014-8643

CVSS scores for CVE-2014-8643

CWE ids for CVE-2014-8643

References for CVE-2014-8643

Products affected by CVE-2014-8643