CVE-2015-4503 : The TCP Socket API implementation in Mozilla Firefox before 41.0 mishandles arra

The TCP Socket API implementation in Mozilla Firefox before 41.0 mishandles array boundaries that were established with a navigator.mozTCPSocket.open method call and send method calls, which allows remote TCP servers to obtain sensitive information from process memory by reading packet data, as demonstrated by availability of this API in a Firefox OS application.

Published 2015-09-24 04:59:06

Updated 2025-04-12 10:46:41

Source Mozilla Corporation

View at NVD, CVE.org

Products affected by CVE-2015-4503

Mozilla » Firefox
Versions up to, including, (<=) 40.0.3
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-4503

EPSS FAQ

0.58%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 66 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-4503

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2015-4503

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-4503

http://www.securityfocus.com/bid/76815

Mozilla Firefox Multiple Security Vulnerabilities

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00000.html

[security-announce] openSUSE-SU-2015:1658-1: important: Security update

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

Oracle Solaris Bulletin - April 2016

CVEs referencing this url
http://www.mozilla.org/security/announce/2015/mfsa2015-97.html

Memory leak in mozTCPSocket to servers — Mozilla
Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=994337

994337 - (CVE-2015-4503) mozTCPSocket leaks client memory to server
http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00005.html

[security-announce] openSUSE-SU-2015:1681-1: important: Security update

CVEs referencing this url
http://www.securitytracker.com/id/1033640

Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Bypass Security Restrictions, and Gain Elevated Privileges - SecurityTracker

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2015-4503

Products affected by CVE-2015-4503

Exploit prediction scoring system (EPSS) score for CVE-2015-4503

CVSS scores for CVE-2015-4503

CWE ids for CVE-2015-4503

References for CVE-2015-4503