CVE - CVE-2014-8639

CVE-ID
CVE-2014-8639	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 do not properly interpret Set-Cookie headers within responses that have a 407 (aka Proxy Authentication Required) status code, which allows remote HTTP proxy servers to conduct session fixation attacks by providing a cookie name that corresponds to the session cookie of the origin server.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:http://www.mozilla.org/security/announce/2014/mfsa2015-04.html CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=1095859 CONFIRM:http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html CONFIRM:http://linux.oracle.com/errata/ELSA-2015-0046.html CONFIRM:http://linux.oracle.com/errata/ELSA-2015-0047.html DEBIAN:DSA-3127 URL:http://www.debian.org/security/2015/dsa-3127 DEBIAN:DSA-3132 URL:http://www.debian.org/security/2015/dsa-3132 GENTOO:GLSA-201504-01 URL:https://security.gentoo.org/glsa/201504-01 REDHAT:RHSA-2015:0046 URL:http://rhn.redhat.com/errata/RHSA-2015-0046.html REDHAT:RHSA-2015:0047 URL:http://rhn.redhat.com/errata/RHSA-2015-0047.html SUSE:openSUSE-SU-2015:0133 URL:http://lists.opensuse.org/opensuse-updates/2015-01/msg00071.html SUSE:openSUSE-SU-2015:0077 URL:http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html SUSE:openSUSE-SU-2015:0192 URL:http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html SUSE:SUSE-SU-2015:0171 URL:http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html SUSE:SUSE-SU-2015:0173 URL:http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html SUSE:SUSE-SU-2015:0180 URL:http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html SUSE:openSUSE-SU-2015:1266 URL:http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html UBUNTU:USN-2460-1 URL:http://www.ubuntu.com/usn/USN-2460-1 BID:72046 URL:http://www.securityfocus.com/bid/72046 SECTRACK:1031533 URL:http://www.securitytracker.com/id/1031533 SECTRACK:1031534 URL:http://www.securitytracker.com/id/1031534 SECUNIA:62237 URL:http://secunia.com/advisories/62237 SECUNIA:62242 URL:http://secunia.com/advisories/62242 SECUNIA:62250 URL:http://secunia.com/advisories/62250 SECUNIA:62446 URL:http://secunia.com/advisories/62446 SECUNIA:62657 URL:http://secunia.com/advisories/62657 SECUNIA:62790 URL:http://secunia.com/advisories/62790 SECUNIA:62253 URL:http://secunia.com/advisories/62253 SECUNIA:62273 URL:http://secunia.com/advisories/62273 SECUNIA:62274 URL:http://secunia.com/advisories/62274 SECUNIA:62293 URL:http://secunia.com/advisories/62293 SECUNIA:62304 URL:http://secunia.com/advisories/62304 SECUNIA:62313 URL:http://secunia.com/advisories/62313 SECUNIA:62315 URL:http://secunia.com/advisories/62315 SECUNIA:62316 URL:http://secunia.com/advisories/62316 SECUNIA:62259 URL:http://secunia.com/advisories/62259 SECUNIA:62283 URL:http://secunia.com/advisories/62283 SECUNIA:62418 URL:http://secunia.com/advisories/62418 XF:firefox-cve20148639-session-hijacking(99959) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/99959
Assigning CNA
N/A
Date Entry Created
20141106	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20141106)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org

Use of the Common Vulnerabilities and Exposures (CVE®) List and the associated references from this website are subject to the terms of use. CVE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 1999–2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. For more information, please contact us.