Lucene search

K

[email protected]CVE-2014-8639

HistoryJan 14, 2015 - 11:59 a.m.

CVE-2014-8639

2015-01-1411:59:00

NVD-CWE-Other

[email protected]

web.nvd.nist.gov

46

cve-2014-8639

mozilla firefox

firefox esr

thunderbird

seamonkey

session fixation

http proxy

nvd

9.1 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.019 Low

EPSS

Percentile

88.2%

Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 do not properly interpret Set-Cookie headers within responses that have a 407 (aka Proxy Authentication Required) status code, which allows remote HTTP proxy servers to conduct session fixation attacks by providing a cookie name that corresponds to the session cookie of the origin server.

CPENameOperatorVersion
mozilla:seamonkeymozilla seamonkeyle2.31
mozilla:firefoxmozilla firefoxle34.0.5
mozilla:firefox_esrmozilla firefox esreq31.3.0
mozilla:firefox_esrmozilla firefox esreq31.1.1
mozilla:firefox_esrmozilla firefox esreq31.1.0
mozilla:firefox_esrmozilla firefox esreq31.2
mozilla:firefox_esrmozilla firefox esreq31.0
mozilla:thunderbirdmozilla thunderbirdle31.3.0

References

linux.oracle.com/errata/ELSA-2015-0046.html

linux.oracle.com/errata/ELSA-2015-0047.html

lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html

lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html

lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html

lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html

lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html

lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html

lists.opensuse.org/opensuse-updates/2015-01/msg00071.html

rhn.redhat.com/errata/RHSA-2015-0046.html

rhn.redhat.com/errata/RHSA-2015-0047.html

secunia.com/advisories/62237

secunia.com/advisories/62242

secunia.com/advisories/62250

secunia.com/advisories/62253

secunia.com/advisories/62259

secunia.com/advisories/62273

secunia.com/advisories/62274

secunia.com/advisories/62283

secunia.com/advisories/62293

secunia.com/advisories/62304

secunia.com/advisories/62313

secunia.com/advisories/62315

secunia.com/advisories/62316

secunia.com/advisories/62418

secunia.com/advisories/62446

secunia.com/advisories/62657

secunia.com/advisories/62790

www.debian.org/security/2015/dsa-3127

www.debian.org/security/2015/dsa-3132

www.mozilla.org/security/announce/2014/mfsa2015-04.html

www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

www.securityfocus.com/bid/72046

www.securitytracker.com/id/1031533

www.securitytracker.com/id/1031534

www.ubuntu.com/usn/USN-2460-1

bugzilla.mozilla.org/show_bug.cgi?id=1095859

exchange.xforce.ibmcloud.com/vulnerabilities/99959

security.gentoo.org/glsa/201504-01

9.1 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.019 Low

EPSS

Percentile

88.2%

Related for CVE-2014-8639

kaspersky1 ubuntucve1 mozilla1 prion1 veracode1 openvas33 osv2 nessus35 redhat2 centos2 ubuntu4 oraclelinux2 debian2 mageia2 archlinux2 suse8 securityvulns1 freebsd1 ibm1 gentoo1