CVE-2004-0908
CVSS4.0
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:49:54
NMCO    

[原文]Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows untrusted Javascript code to read and write to the clipboard, and possibly obtain sensitive information, via script-generated events such as Ctrl-Ins.


[CNNVD]Mozilla/Firefox Browsers未授权剪贴板内容泄露(CNNVD-200412-867)

        Mozilla Firefox Preview Release以前版本,Mozilla 1.7.3以前版本和Thunderbird 0.8以前版本存在漏洞。不受信任Javascript代码可以借助如Ctrl-Ins的script-generated事件读写剪贴板,并可能获得敏感信息。

- CVSS (基础分值)

CVSS分值: 4 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:mozilla:mozilla:1.7.1Mozilla Mozilla 1.7.1
cpe:/a:mozilla:mozilla:1.7.2Mozilla Mozilla 1.7.2
cpe:/a:mozilla:mozilla:1.2:alphaMozilla Mozilla Browser 1.2 Alpha
cpe:/a:mozilla:mozilla:1.7:alphaMozilla Mozilla 1.7 alpha
cpe:/a:mozilla:mozilla:1.4:alphaMozilla Mozilla 1.4a
cpe:/a:mozilla:mozilla:1.1:alphaMozilla Mozilla Browser 1.1 Alpha
cpe:/a:mozilla:mozilla:1.4:betaMozilla Mozilla Browser 1.4b
cpe:/a:mozilla:mozilla:1.1:betaMozilla Mozilla Browser 1.1 Beta
cpe:/a:mozilla:mozilla:0.9.2Mozilla Mozilla Browser 0.9.2
cpe:/a:mozilla:thunderbird:0.7.2Mozilla Thunderbird 0.7.2
cpe:/a:mozilla:mozilla:1.2:betaMozilla Mozilla Browser 1.2 Beta
cpe:/a:mozilla:mozilla:1.7:betaMozilla Mozilla 1.7 beta
cpe:/a:mozilla:mozilla:0.9.48Mozilla Mozilla Browser 0.9.48
cpe:/a:mozilla:thunderbird:0.7.1Mozilla Thunderbird 0.7.1
cpe:/a:mozilla:mozilla:0.9.9Mozilla Mozilla 0.9.9
cpe:/a:mozilla:mozilla:0.8Mozilla Mozilla Browser 0.8
cpe:/a:mozilla:mozilla:0.9.7Mozilla Mozilla 0.9.7
cpe:/a:mozilla:mozilla:0.9.8Mozilla Mozilla Browser 0.9.8
cpe:/a:mozilla:mozilla:1.2.1Mozilla Mozilla Browser 1.2.1
cpe:/a:mozilla:mozilla:1.4.1Mozilla Mozilla 1.4.1
cpe:/a:mozilla:mozilla:1.4.2Mozilla Mozilla Browser 1.4.2
cpe:/a:mozilla:mozilla:0.9.5Mozilla Mozilla Browser 0.9.5
cpe:/a:mozilla:mozilla:0.9.6Mozilla Mozilla Browser 0.9.6
cpe:/a:mozilla:mozilla:0.9.3Mozilla Mozilla Browser 0.9.3
cpe:/a:mozilla:mozilla:1.0.1Mozilla Mozilla Browser 1.0.1
cpe:/a:mozilla:mozilla:0.9.4Mozilla Mozilla Browser 0.9.4
cpe:/a:mozilla:mozilla:1.0.2Mozilla Mozilla Browser 1.0.2
cpe:/a:mozilla:mozilla:0.9.4.1Mozilla Mozilla Browser 0.9.4.1
cpe:/a:mozilla:mozilla:1.4.4Mozilla Mozilla Browser 1.4.4
cpe:/a:mozilla:mozilla:0.9.2.1Mozilla Mozilla Browser 0.9.2.1
cpe:/a:mozilla:mozilla:1.7:rc3Mozilla Mozilla 1.7 rc3
cpe:/a:mozilla:mozilla:1.7:rc2Mozilla Mozilla 1.7 rc2
cpe:/a:mozilla:mozilla:1.7:rc1Mozilla Mozilla 1.7 rc1
cpe:/a:mozilla:thunderbird:0.1Mozilla Thunderbird 0.1
cpe:/a:mozilla:thunderbird:0.4Mozilla Thunderbird 0.4
cpe:/a:mozilla:thunderbird:0.2Mozilla Thunderbird 0.2
cpe:/a:mozilla:thunderbird:0.5Mozilla Thunderbird 0.5
cpe:/a:mozilla:mozilla:1.0:rc1
cpe:/a:mozilla:thunderbird:0.3Mozilla Thunderbird 0.3
cpe:/a:mozilla:thunderbird:0.6Mozilla Thunderbird 0.6
cpe:/a:mozilla:mozilla:1.0:rc2
cpe:/a:mozilla:thunderbird:0.7Mozilla Thunderbird 0.7
cpe:/a:mozilla:mozilla:1.7Mozilla Mozilla 1.7
cpe:/a:mozilla:mozilla:1.6Mozilla Mozilla 1.6
cpe:/a:mozilla:mozilla:1.5Mozilla Mozilla 1.5
cpe:/a:mozilla:mozilla:1.4Mozilla Mozilla 1.4
cpe:/a:mozilla:mozilla:1.3Mozilla Mozilla 1.3
cpe:/a:mozilla:mozilla:1.2Mozilla Mozilla 1.2
cpe:/a:mozilla:mozilla:1.1Mozilla Mozilla 1.1
cpe:/a:mozilla:mozilla:1.0Mozilla Mozilla 1.0
cpe:/a:mozilla:mozilla:1.3.1Mozilla Mozilla Browser 1.3.1
cpe:/a:mozilla:mozilla:1.5.1Mozilla Mozilla 1.5.1
cpe:/a:mozilla:mozilla:0.9.35Mozilla Mozilla Browser 0.9.35

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9745Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows untrusted Javascript code to read and wr...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0908
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0908
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-867
(官方数据源) CNNVD

- 其它链接及资源

http://bugzilla.mozilla.org/show_bug.cgi?id=257523
(PATCH)  CONFIRM  http://bugzilla.mozilla.org/show_bug.cgi?id=257523
http://marc.info/?l=bugtraq&m=109698896104418&w=2
(UNKNOWN)  HP  SSRT4826
http://marc.info/?l=bugtraq&m=109900315219363&w=2
(UNKNOWN)  FEDORA  FLSA:2089
http://security.gentoo.org/glsa/glsa-200409-26.xml
(UNKNOWN)  GENTOO  GLSA-200409-26
http://www.kb.cert.org/vuls/id/460528
(UNKNOWN)  CERT-VN  VU#460528
http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3
(UNKNOWN)  CONFIRM  http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3
http://www.novell.com/linux/security/advisories/2004_36_mozilla.html
(PATCH)  SUSE  SUSE-SA:2004:036
http://www.securityfocus.com/bid/11179
(PATCH)  BID  11179
http://xforce.iss.net/xforce/xfdb/17376
(UNKNOWN)  XF  mozilla-shortcut-clipboard-access(17376)

- 漏洞信息

Mozilla/Firefox Browsers未授权剪贴板内容泄露
中危 访问验证错误
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        Mozilla Firefox Preview Release以前版本,Mozilla 1.7.3以前版本和Thunderbird 0.8以前版本存在漏洞。不受信任Javascript代码可以借助如Ctrl-Ins的script-generated事件读写剪贴板,并可能获得敏感信息。

- 公告与补丁

        This issue is addressed in Mozilla 1.7.3 and Firefox Preview Release:
        Conectiva has released an advisory (CLA-2004:877) to address various issues including this issue in Mozilla. This advisory contains updated Mozilla packages (1.7.3) for Conectiva Linux 9 and 10. Please see the referenced advisory for more information.
        Gentoo has released an advisory (GLSA 200409-26) to address various issues in Mozilla Browsers. Please see the referenced advisory for more information. Gentoo users may carry out the following commands to update their systems.
        emerge sync
        emerge -pv your-version
        emerge your-version
        RedHat Linux has released advisory RHSA-2004:486-18 along with fixes to address this, and other issues for RedHat Enterprise Linux operating systems. Please see the referenced advisory for further information on obtaining fixes.
        HP has released an advisory (SSRT4826) dealing with this issue for their Tru64 UNIX platform. Please see the referenced advisory for more information.
        SuSE Linux has released advisory SUSE-SA:2004:036 along with fixes dealing with this issue. Please see the referenced advisory for more information.
        The Fedora Legacy project has released advisory FLSA-2004:2089 along with fixes to address multiple issues in RedHat Fedora Core 1, and RedHat Linux 7.3 and 9.0. Please see the referenced advisory for further information.
        Mozilla Firefox 0.8
        
        Mozilla Firefox 0.9
        
        Mozilla Firefox 0.9 rc
        
        Mozilla Firefox 0.9.1
        
        Mozilla Firefox 0.9.2
        
        Mozilla Firefox 0.9.3
        
        Mozilla Browser 1.7
        
        Mozilla Browser 1.7 rc3
        
        Mozilla Browser 1.7.1
        
        Mozilla Browser 1.7.2
        

- 漏洞信息

9965
Mozilla Multiple Products Text Field Script Generation Arbitrary Clipboard Content Manipulation
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2004-08-31 Unknow
Unknow Unknow

- 解决方案

Upgrade to Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站