CVE-2005-2395 - Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge with the strongest authentication sche

CVE-2005-2395

Summary

Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge with the strongest authentication scheme available as required by RFC2617, which might cause credentials to be sent in plaintext even if an encrypted channel is available.

References

Vulnerable Configurations

cpe:2.3:a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:1.0.5:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 11-07-2017 - 01:32)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:N/A:N

refmap via4

bid	14325
bugtraq	20050719 Mozilla cleartext credentials leak bug report to excuse myself (Re[2]: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein)
misc	http://www.securiteam.com/securitynews/5PP0L00GUQ.html https://bugzilla.mozilla.org/show_bug.cgi?id=281851
osvdb	19002
sreason	8
xf	mozilla-authentication-weakness(22272)

Last major update

11-07-2017 - 01:32

Published

27-07-2005 - 04:00

Last modified

11-07-2017 - 01:32