Bug 1272461 (CVE-2015-7184) - CVE-2015-7184 firefox: cross-origin restriction bypass using Fetch
Summary: CVE-2015-7184 firefox: cross-origin restriction bypass using Fetch
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2015-7184
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-16 12:57 UTC by Martin Prpič
Modified: 2021-02-17 04:50 UTC (History)
5 users (show)

Fixed In Version: firefox 41.0.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-16 12:58:55 UTC


Attachments (Terms of Use)

Description Martin Prpič 2015-10-16 12:57:09 UTC
A cross-origin restriction bypass flaw was found in Firefox:

Security researcher Abdulrahman Alqabandi reported that the fetch() API did not correctly implement the Cross-Origin Resource Sharing (CORS) specification, allowing a malicious page to access private data from other origins. Mozilla developer Ben Kelly independently reported the same issue.

This issue was fixed in Firefox 41.0.2.

Upstream bugs:

https://bugzilla.mozilla.org/show_bug.cgi?id=1208339
https://bugzilla.mozilla.org/show_bug.cgi?id=1212669

External References:

https://www.mozilla.org/en-US/security/advisories/mfsa2015-115/

Comment 1 Martin Prpič 2015-10-16 12:58:09 UTC
Fixed in Fedora in packages:

firefox-41.0.2-2.fc23
firefox-41.0.2-2.fc21
firefox-41.0.2-2.fc24
firefox-41.0.2-2.fc22

Comment 2 Martin Prpič 2015-10-16 12:58:55 UTC
Statement:

This issue did not affect the versions of firefox as shipped with Red Hat Enterprise Linux 5, 6, and 7.


Note You need to log in before you can comment on or make changes to this bug.