cnvd - cnvd-2021-37760

CNVD-2021-37760

Vulnerability from cnvd - Published: 2021-05-28

Title

Firefox unity-firefox-extension存在未明漏洞（CNVD-2021-37760）

Description

Firefox unity-firefox-extension是Firefox开源的一个应用插件。 Firefox unity-firefox-extension 存在安全漏洞，攻击者可利用该漏洞导致Firefox崩溃。

Severity

中

Patch Name

Firefox unity-firefox-extension存在未明漏洞（CNVD-2021-37760）的补丁

Patch Description

Firefox unity-firefox-extension是Firefox开源的一个应用插件。 Firefox unity-firefox-extension 存在安全漏洞，攻击者可利用该漏洞导致Firefox崩溃。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://ubuntu.com/security/notices/USN-2743-3

Reference

https://nvd.nist.gov/vuln/detail/CVE-2013-1054

Impacted products

Name
Firefox unity-firefox-extension

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2013-1054"
    }
  },
  "description": "Firefox unity-firefox-extension\u662fFirefox\u5f00\u6e90\u7684\u4e00\u4e2a\u5e94\u7528\u63d2\u4ef6\u3002\n\nFirefox unity-firefox-extension \u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4Firefox\u5d29\u6e83\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://ubuntu.com/security/notices/USN-2743-3",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-37760",
  "openTime": "2021-05-28",
  "patchDescription": "Firefox unity-firefox-extension\u662fFirefox\u5f00\u6e90\u7684\u4e00\u4e2a\u5e94\u7528\u63d2\u4ef6\u3002\r\n\r\nFirefox unity-firefox-extension \u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4Firefox\u5d29\u6e83\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Firefox unity-firefox-extension\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2021-37760\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Firefox unity-firefox-extension"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2013-1054",
  "serverity": "\u4e2d",
  "submitTime": "2021-04-09",
  "title": "Firefox unity-firefox-extension\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2021-37760\uff09"
}

CVE-2013-1054 (GCVE-0-2013-1054)

Vulnerability from cvelistv5 – Published: 2021-04-07 19:20 – Updated: 2024-09-16 23:32

Summary

The unity-firefox-extension package could be tricked into destroying the Unity webapps context, causing Firefox to crash. This could be achieved by spinning the event loop inside the webapps initialization callback. Fixed in 3.0.0+14.04.20140416-0ubuntu1.14.04.1 by shipping an empty package, thus disabling the extension entirely.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-404 - Improper Resource Shutdown or Release

Assigner

canonical

References

URL

Tags

	https://launchpad.net/bugs/1175661	vendor-advisoryx_refsource_UBUNTU
	https://ubuntu.com/USN-2743-3	vendor-advisoryx_refsource_UBUNTU

Impacted products

	Vendor	Product	Version
	Canonical	unity-firefox-extension	Affected: 3.0.0 , < 3.0.0+14.04.20140416-0ubuntu1.14.04.1 (custom)

Credits

Chris Coulson

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T14:49:20.622Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://launchpad.net/bugs/1175661"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://ubuntu.com/USN-2743-3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "unity-firefox-extension",
          "vendor": "Canonical",
          "versions": [
            {
              "lessThan": "3.0.0+14.04.20140416-0ubuntu1.14.04.1",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Chris Coulson"
        }
      ],
      "datePublic": "2013-05-02T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The unity-firefox-extension package could be tricked into destroying the Unity webapps context, causing Firefox to crash. This could be achieved by spinning the event loop inside the webapps initialization callback. Fixed in 3.0.0+14.04.20140416-0ubuntu1.14.04.1 by shipping an empty package, thus disabling the extension entirely."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-404",
              "description": "CWE-404 Improper Resource Shutdown or Release",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-07T19:20:18",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://launchpad.net/bugs/1175661"
        },
        {
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://ubuntu.com/USN-2743-3"
        }
      ],
      "source": {
        "advisory": "https://ubuntu.com/USN-2743-3",
        "defect": [
          "https://launchpad.net/bugs/1175661"
        ],
        "discovery": "INTERNAL"
      },
      "title": "Possible remote DOS in WebApps",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "",
          "ASSIGNER": "security@ubuntu.com",
          "DATE_PUBLIC": "2013-05-02T15:56:00.000Z",
          "ID": "CVE-2013-1054",
          "STATE": "PUBLIC",
          "TITLE": "Possible remote DOS in WebApps"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "unity-firefox-extension",
                      "version": {
                        "version_data": [
                          {
                            "platform": "",
                            "version_affected": "\u003c",
                            "version_name": "3.0.0",
                            "version_value": "3.0.0+14.04.20140416-0ubuntu1.14.04.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Canonical"
              }
            ]
          }
        },
        "configuration": [],
        "credit": [
          {
            "lang": "eng",
            "value": "Chris Coulson"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The unity-firefox-extension package could be tricked into destroying the Unity webapps context, causing Firefox to crash. This could be achieved by spinning the event loop inside the webapps initialization callback. Fixed in 3.0.0+14.04.20140416-0ubuntu1.14.04.1 by shipping an empty package, thus disabling the extension entirely."
            }
          ]
        },
        "exploit": [],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-404 Improper Resource Shutdown or Release"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://launchpad.net/bugs/1175661",
              "refsource": "UBUNTU",
              "url": "https://launchpad.net/bugs/1175661"
            },
            {
              "name": "https://ubuntu.com/USN-2743-3",
              "refsource": "UBUNTU",
              "url": "https://ubuntu.com/USN-2743-3"
            }
          ]
        },
        "solution": [],
        "source": {
          "advisory": "https://ubuntu.com/USN-2743-3",
          "defect": [
            "https://launchpad.net/bugs/1175661"
          ],
          "discovery": "INTERNAL"
        },
        "work_around": []
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2013-1054",
    "datePublished": "2021-04-07T19:20:18.126383Z",
    "dateReserved": "2013-01-11T00:00:00",
    "dateUpdated": "2024-09-16T23:32:01.687Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-37760

CVE-2013-1054 (GCVE-0-2013-1054)

Tags

Sightings

Nomenclature