CVE-2015-7184

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The fetch API implementation in Mozilla Firefox before 41.0.2 does not restrict access to the HTTP response body in certain situations where user credentials are supplied but the CORS cross-origin request algorithm is improperly followed, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.

References

http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00021.html

http://www.mozilla.org/security/announce/2015/mfsa2015-115.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

http://www.securityfocus.com/bid/77100

http://www.securitytracker.com/id/1033820

http://www.ubuntu.com/usn/USN-2768-1

https://bugzilla.mozilla.org/show_bug.cgi?id=1208339

https://bugzilla.mozilla.org/show_bug.cgi?id=1212669

Details

Source: MITRE

Published: 2015-10-18

Updated: 2016-12-24

Type: CWE-284

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* versions up to 41.0.1 (inclusive)

Tenable Plugins

View all (6 total)

IDNameProductFamilySeverity
9018Mozilla Firefox < 42.0 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
critical
86595openSUSE Security Update : MozillaFirefox (openSUSE-2015-678)NessusSuSE Local Security Checks
medium
86443Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : firefox vulnerability (USN-2768-1)NessusUbuntu Local Security Checks
medium
86432FreeBSD : firefox -- Cross-origin restriction bypass using Fetch (79c68ef7-c8ae-4ade-91b4-4b8221b7c72a)NessusFreeBSD Local Security Checks
medium
86418Firefox < 41.0.2 'fetch' API Cross-Origin BypassNessusWindows
medium
86417Firefox < 41.0.2 'fetch' API Cross-Origin Bypass (Mac OS X)NessusMacOS X Local Security Checks
medium