CVE-2013-1675
Published: 16 May 2013
Summary
CVE-2013-1675 is a medium-severity Improper Initialization (CWE-665) vulnerability in Canonical Ubuntu Linux. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 7.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
Mozilla Firefox before version 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 contain an improper initialization flaw in the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions. The affected code fails to properly set up internal data structures for SVG zoom events, which is tracked as CWE-665 and carries a CVSS 3.1 score of 6.5 reflecting network attack vector, low complexity, and high confidentiality impact.
Remote attackers can exploit the issue by serving a crafted web page that triggers SVG zoom event handling in a vulnerable browser or mail client. Successful exploitation allows the attacker to read uninitialized memory contents from the process address space, potentially disclosing sensitive information such as cryptographic material or other process data, provided the user interacts with the malicious content.
The referenced OpenSUSE security advisories describe the availability of updated packages that correct the initialization error in the affected Mozilla components and advise administrators to apply the patches promptly to prevent information disclosure. No further details on in-the-wild exploitation are supplied in the source material.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-1702
Vulnerability details
Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 do not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sensitive information from process…
more
memory via a crafted web site.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying vendor patches that correct the nsDOMSVGZoomEvent initialization flaw before exploitation can occur.
Implements memory-protection mechanisms that can block or sanitize reads of uninitialized process memory disclosed by the SVG zoom event handler.
Enforces process isolation boundaries that limit the scope of memory an attacker can read even when the browser's event structures remain uninitialized.