CVE-2016-1947 — MEDIUM (4.7)

Vulnerability Description

Mozilla Firefox 43.x mishandles attempts to connect to the Application Reputation service, which makes it easier for remote attackers to trigger an unintended download by leveraging the absence of reputation data.

CVSS Score

4.7

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Canonical	Ubuntu Linux	12.04
Opensuse	Leap	42.1
Opensuse	Opensuse	13.1
Mozilla	Firefox	43.0

Related Weaknesses (CWE)

CWE-19

References

http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00001.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00002.htmlThird Party Advisory
http://www.mozilla.org/security/announce/2016/mfsa2016-11.htmlVendor Advisory
http://www.securityfocus.com/bid/81949Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1034825
http://www.ubuntu.com/usn/USN-2880-1Third Party Advisory
http://www.ubuntu.com/usn/USN-2880-2Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1237103Issue TrackingVendor Advisory
https://security.gentoo.org/glsa/201605-06Third Party AdvisoryVDB Entry
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00001.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00002.htmlThird Party Advisory
http://www.mozilla.org/security/announce/2016/mfsa2016-11.htmlVendor Advisory
http://www.securityfocus.com/bid/81949Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1034825
http://www.ubuntu.com/usn/USN-2880-1Third Party Advisory

FAQ

What is CVE-2016-1947?

CVE-2016-1947 is a vulnerability with a CVSS score of 4.7 (MEDIUM). Mozilla Firefox 43.x mishandles attempts to connect to the Application Reputation service, which makes it easier for remote attackers to trigger an unintended download by leveraging the absence of rep...

How severe is CVE-2016-1947?

CVE-2016-1947 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-1947?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Opensuse Leap, Opensuse Opensuse, Mozilla Firefox.