CVE-2015-4479 : Multiple integer overflows in libstagefright in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 allow remot

Multiple integer overflows in libstagefright in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 allow remote attackers to execute arbitrary code via a crafted saio chunk in MPEG-4 video data.

Published 2015-08-16 01:59:07

Updated 2018-10-30 16:27:36

Source Mozilla Corporation

View at NVD, CVE.org

Vulnerability category: Execute code

Exploit prediction scoring system (EPSS) score for CVE-2015-4479

Probability of exploitation activity in the next 30 days: 6.22%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 93 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2015-4479

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2015-4479

CWE-189

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-4479

http://www.debian.org/security/2015/dsa-3333

Debian -- Security Information -- DSA-3333-1 iceweasel

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2015-08/msg00031.html

openSUSE-SU-2015:1454-1: moderate: Security update for MozillaThunderbir

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html

[security-announce] SUSE-SU-2015:1449-1: important: Security update for

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00015.html

[security-announce] openSUSE-SU-2015:1390-1: important: Security update

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

Oracle Solaris Bulletin - April 2016

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-1586.html

RHSA-2015:1586 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=1170344

1170344 - int oveflow in libstagefright during mp4 parsing
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00014.html

[security-announce] openSUSE-SU-2015:1389-1: important: Security update

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=1185115

1185115 - (CVE-2015-4479) MPEG4 saio Chunk Integer Overflow (libstagefright) (ZDI-CAN-2966)
https://security.gentoo.org/glsa/201605-06

Mozilla Products: Multiple vulnerabilities (GLSA 201605-06) — Gentoo security

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2702-1

USN-2702-1: Firefox vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2015-08/msg00030.html

openSUSE-SU-2015:1453-1: moderate: Security update for MozillaThunderbir

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00016.html

[security-announce] SUSE-SU-2015:1528-1: important: Security update for

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html

[security-announce] SUSE-SU-2015:2081-1: important: Security update for

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2702-3

USN-2702-3: Firefox regression | Ubuntu security notices

CVEs referencing this url
http://www.securitytracker.com/id/1033247

Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Bypass Security Restrictions, and Conduct Cross-Site Scripting Attacks - SecurityTrack

CVEs referencing this url
http://www.zerodayinitiative.com/advisories/ZDI-15-456

ZDI-15-456 | Zero Day Initiative
http://www.mozilla.org/security/announce/2015/mfsa2015-83.html

Overflow issues in libstagefright — Mozilla
Vendor Advisory

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2702-2

USN-2702-2: Ubufox update | Ubuntu security notices

CVEs referencing this url

Products affected by CVE-2015-4479

Mozilla » Firefox
Versions up to, including, (<=) 39.0.3
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox Esr » Version: 38.0
cpe:2.3:a:mozilla:firefox_esr:38.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox Esr » Version: 38.0.1
cpe:2.3:a:mozilla:firefox_esr:38.0.1:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox Esr » Version: 38.0.5
cpe:2.3:a:mozilla:firefox_esr:38.0.5:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox Esr » Version: 38.1.0
cpe:2.3:a:mozilla:firefox_esr:38.1.0:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 15.04
cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Matching versions
Opensuse » Opensuse » Version: 13.2
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
Matching versions
Opensuse » Opensuse » Version: 13.1
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2015-4479

Exploit prediction scoring system (EPSS) score for CVE-2015-4479

CVSS scores for CVE-2015-4479

CWE ids for CVE-2015-4479

References for CVE-2015-4479

Products affected by CVE-2015-4479