Vulnerability Details : CVE-2014-1564
Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 do not properly initialize memory for GIF rendering, which allows remote attackers to obtain sensitive information from process memory via crafted web script that interacts with a CANVAS element associated with a malformed GIF image.
Products affected by CVE-2014-1564
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:31.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:30.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:31.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:31.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:evergreen:11.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-1564
2.56%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-1564
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2014-1564
-
The product accesses or uses a pointer that has not been initialized.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-1564
-
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00024.html
[security-announce] openSUSE-SU-2015:0138-1: important: Firefox update tThird Party Advisory
-
http://www.securitytracker.com/id/1030794
Mozilla Thunderbird Multiple Flaws Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information - SecurityTracker
-
http://www.securityfocus.com/archive/1/533357/100/0/threaded
SecurityFocus
-
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Oracle Solaris Bulletin - April 2016
-
http://www.mozilla.org/security/announce/2014/mfsa2014-69.html
Uninitialized memory use during GIF rendering — MozillaVendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00003.html
[security-announce] openSUSE-SU-2014:1098-1: important: MozillaThunderbiThird Party Advisory
-
https://security.gentoo.org/glsa/201504-01
Mozilla Products: Multiple vulnerabilities (GLSA 201504-01) — Gentoo security
-
http://lists.opensuse.org/opensuse-updates/2014-09/msg00011.html
openSUSE-SU-2014:1099-1: moderate: MozillaFirefox to Firefox 32Third Party Advisory
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1045977
1045977 - (CVE-2014-1564) Apparent info leak caused by uninitialized memory with malformed GIFsIssue Tracking
-
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html
[security-announce] openSUSE-SU-2015:1266-1: important: Mozilla (Firefox
-
http://www.securitytracker.com/id/1030793
Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information - SecurityTracker
-
http://packetstormsecurity.com/files/128132/Mozilla-Firefox-Secret-Leak.html
Mozilla Firefox Secret Leak ≈ Packet Storm
-
http://www.securityfocus.com/bid/69525
Mozilla Firefox and Thunderbird CVE-2014-1564 Information Disclosure Vulnerability
-
http://seclists.org/fulldisclosure/2014/Sep/18
Full Disclosure: Uninit memory disclosure via truncated images in Firefox
-
http://secunia.com/advisories/60148
Sign in
-
http://secunia.com/advisories/61114
Sign in
Jump to