CVE-2014-1531 : Use-after-free vulnerability in the nsGenericHTMLElement::GetWidthHeightForImage

Use-after-free vulnerability in the nsGenericHTMLElement::GetWidthHeightForImage function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving an imgLoader object that is not properly handled during an image-resize operation.

Published 2014-04-30 10:49:05

Updated 2020-08-07 19:26:57

Source Mozilla Corporation

View at NVD, CVE.org

Vulnerability category: Memory CorruptionExecute codeDenial of service

Products affected by CVE-2014-1531

Debian » Debian Linux » Version: 7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 5.0
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 6.5
cpe:2.3:o:redhat:enterprise_linux_eus:6.5:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 5.0
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 5.0
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 6.5
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Eus » Version: 6.5
cpe:2.3:o:redhat:enterprise_linux_server_eus:6.5:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 6.5
cpe:2.3:o:redhat:enterprise_linux_server_tus:6.5:*:*:*:*:*:*:*
Matching versions
Suse » Suse Linux Enterprise Server » Version: 10 Update SP4 Ltss Edition
cpe:2.3:o:suse:suse_linux_enterprise_server:10:sp4:*:*:ltss:*:*:*
Matching versions
Suse » Suse Linux Enterprise Server » Version: 11 Update SP1 Ltss Edition
cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp1:*:*:ltss:*:*:*
Matching versions
Mozilla » Firefox
Versions before (<) 29.0
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird
Versions before (<) 24.5
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Seamonkey
Versions before (<) 2.26
cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox Esr
Versions from including (>=) 24.0 and before (<) 24.5
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.10
cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 13.10
cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 19
cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 20
cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
Matching versions
Opensuse » Opensuse » Version: 11.4
cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*
Matching versions
Opensuse » Opensuse » Version: 12.3
cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
Matching versions
Opensuse » Opensuse » Version: 13.1
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-1531

EPSS FAQ

1.72%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 81 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-1531

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2014-1531

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-1531

http://www.securitytracker.com/id/1030164

Mozilla Seamonkey Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Conduct Cross-Site Scripting Attacks - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.debian.org/security/2014/dsa-2918

Debian -- Security Information -- DSA-2918-1 iceweasel
Third Party Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1030163

Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Conduct Cross-Site Scripting Attacks and Local Users Gain Elevated Privileges - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

Oracle Solaris Bulletin - April 2016
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2014-05/msg00010.html

openSUSE-SU-2014:0599-1: moderate: update for MozillaFirefox
Mailing List;Third Party Advisory

CVEs referencing this url
http://www.debian.org/security/2014/dsa-2924

Debian -- Security Information -- DSA-2924-1 icedove
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2014-05/msg00033.html

openSUSE-SU-2014:0629-1: moderate: update for seamonkey
Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132332.html

[SECURITY] Fedora 20 Update: thunderbird-24.5.0-1.fc20
Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132437.html

[SECURITY] Fedora 19 Update: firefox-29.0-5.fc19
Mailing List;Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/67134

Mozilla Firefox/Thunderbird/SeaMonkey CVE-2014-1531 Use After Free Memory Corruption Vulnerability
Third Party Advisory;VDB Entry
http://rhn.redhat.com/errata/RHSA-2014-0448.html

RHSA-2014:0448 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/201504-01

Mozilla Products: Multiple vulnerabilities (GLSA 201504-01) — Gentoo security
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2014-05/msg00013.html

openSUSE-SU-2014:0602-1: moderate: Mozilla updates 5/2014
Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00015.html

[security-announce] SUSE-SU-2014:0727-1: important: Security update for
Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00006.html

[security-announce] SUSE-SU-2014:0665-1: important: Security update for
Mailing List;Third Party Advisory

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2189-1

USN-2189-1: Thunderbird vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=987140

987140 - (CVE-2014-1531) ASAN heap-use-after-free in nsGenericHTMLElement::GetWidthHeightForImage
Exploit;Issue Tracking;Vendor Advisory
http://www.ubuntu.com/usn/USN-2185-1

USN-2185-1: Firefox vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
http://www.mozilla.org/security/announce/2014/mfsa2014-44.html

Use-after-free in imgLoader while resizing images — Mozilla
Vendor Advisory
http://lists.opensuse.org/opensuse-updates/2014-05/msg00040.html

openSUSE-SU-2014:0640-1: moderate: update for MozillaThunderbird
Mailing List;Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2014-0449.html

RHSA-2014:0449 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1030165

Mozilla Thunderbird Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Conduct Cross-Site Scripting Attacks and Local Users Gain Elevated Privileges - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2014-1531

Products affected by CVE-2014-1531

Exploit prediction scoring system (EPSS) score for CVE-2014-1531

CVSS scores for CVE-2014-1531

CWE ids for CVE-2014-1531

References for CVE-2014-1531