Cyber Resilience

CVE-2015-4495

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 08 August 2015

Published
08 August 2015
Modified
22 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.7157 98.8th percentile
Risk Priority 81 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-4495 is a high-severity Origin Validation Error (CWE-346) vulnerability in Redhat Enterprise Linux Eus. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a same-origin policy bypass in the PDF reader component of Mozilla Firefox before version 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2. It is triggered by specially crafted JavaScript that interacts with a native setter, allowing violation of origin boundaries. The issue is tracked as CVE-2015-4495 with a CVSS 3.1 score of 8.8 and is associated with CWE-346.

Remote attackers can exploit the flaw by serving a malicious PDF that executes in the browser or Firefox OS environment. Successful exploitation permits reading arbitrary local files and obtaining elevated privileges without requiring authentication, though user interaction is needed to open the document. The vulnerability was observed being exploited in the wild during August 2015.

Advisories from openSUSE detail the availability of updated Firefox packages that resolve the issue for affected distributions, recommending immediate application of the patches listed in the August 2015 security announcements. The flaw's public exploitation at the time of disclosure underscores the need for rapid deployment of the fixes across all supported Firefox versions.

EU & UK References

Vulnerability details

The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code…

more

and a native setter, as exploited in the wild in August 2015.

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mozilla
firefox
≤ 39.0.3 · 38.0 — 38.1.1
mozilla
firefox os
≤ 2.2
oracle
solaris
11.3
canonical
ubuntu linux
12.04, 14.04, 15.04
redhat
enterprise linux desktop
5.0, 6.0, 7.0
redhat
enterprise linux eus
6.7, 7.1, 7.2, 7.3, 7.4
redhat
enterprise linux server
5.0, 6.0, 7.0
redhat
enterprise linux server aus
7.3, 7.4, 7.6, 7.7
redhat
enterprise linux server tus
7.3, 7.6, 7.7
redhat
enterprise linux workstation
5.0, 6.0, 7.0
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the Firefox patches that eliminate the PDF-reader same-origin bypass.

prevent

Enforces information-flow boundaries that the crafted JavaScript/native-setter combination is designed to violate.

SC-18 Mobile Code partial match
prevent

Restricts execution of untrusted mobile code (JavaScript inside PDFs) that triggers the origin-policy flaw.

References