CVE-2015-4495
Published: 08 August 2015
Summary
CVE-2015-4495 is a high-severity Origin Validation Error (CWE-346) vulnerability in Redhat Enterprise Linux Eus. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a same-origin policy bypass in the PDF reader component of Mozilla Firefox before version 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2. It is triggered by specially crafted JavaScript that interacts with a native setter, allowing violation of origin boundaries. The issue is tracked as CVE-2015-4495 with a CVSS 3.1 score of 8.8 and is associated with CWE-346.
Remote attackers can exploit the flaw by serving a malicious PDF that executes in the browser or Firefox OS environment. Successful exploitation permits reading arbitrary local files and obtaining elevated privileges without requiring authentication, though user interaction is needed to open the document. The vulnerability was observed being exploited in the wild during August 2015.
Advisories from openSUSE detail the availability of updated Firefox packages that resolve the issue for affected distributions, recommending immediate application of the patches listed in the August 2015 security announcements. The flaw's public exploitation at the time of disclosure underscores the need for rapid deployment of the fixes across all supported Firefox versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-4515
Vulnerability details
The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code…
more
and a native setter, as exploited in the wild in August 2015.
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the Firefox patches that eliminate the PDF-reader same-origin bypass.
Enforces information-flow boundaries that the crafted JavaScript/native-setter combination is designed to violate.
Restricts execution of untrusted mobile code (JavaScript inside PDFs) that triggers the origin-policy flaw.