CVE-2013-1690
Published: 26 June 2013
Summary
CVE-2013-1690 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Suse Linux Enterprise Server. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
Mozilla Firefox versions before 22.0, Firefox ESR 17.x versions before 17.0.7, Thunderbird versions before 17.0.7, and Thunderbird ESR 17.x versions before 17.0.7 contain a memory safety flaw stemming from improper handling of onreadystatechange events in combination with page reloading. The issue, tracked as CWE-119, can trigger an attempt to execute data at an unmapped memory location.
Remote attackers may exploit the vulnerability by serving a crafted web page to a user who visits the site in an affected browser or mail client. Successful exploitation can result in an application crash or arbitrary code execution with the privileges of the user running the software.
OpenSUSE security advisories for this issue direct administrators to apply updated packages that correct the handling of these events in the listed Mozilla products.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-1717
Vulnerability details
Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application…
more
crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that correct the onreadystatechange memory-handling flaw in Firefox/Thunderbird.
Enforces memory-protection mechanisms that block execution of data at unmapped addresses, mitigating the CWE-119 flaw before code execution succeeds.
Restricts or sandboxed execution of mobile code (e.g., JavaScript) delivered by untrusted web pages, limiting the attack vector that triggers the vulnerability.