1272461 – (CVE-2015-7184) CVE-2015-7184 firefox: cross-origin restriction bypass using Fetch

Bug 1272461 (CVE-2015-7184) - CVE-2015-7184 firefox: cross-origin restriction bypass using Fetch

Summary: CVE-2015-7184 firefox: cross-origin restriction bypass using Fetch

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2015-7184
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-16 12:57 UTC by Martin Prpič
Modified:	2021-02-17 04:50 UTC (History)
CC List:	5 users (show)
Fixed In Version:	firefox 41.0.2
Clone Of:
Environment:
Last Closed:	2015-10-16 12:58:55 UTC
Embargoed:

Attachments	(Terms of Use)

Description Martin Prpič 2015-10-16 12:57:09 UTC

A cross-origin restriction bypass flaw was found in Firefox:

Security researcher Abdulrahman Alqabandi reported that the fetch() API did not correctly implement the Cross-Origin Resource Sharing (CORS) specification, allowing a malicious page to access private data from other origins. Mozilla developer Ben Kelly independently reported the same issue.

This issue was fixed in Firefox 41.0.2.

Upstream bugs:

https://bugzilla.mozilla.org/show_bug.cgi?id=1208339
https://bugzilla.mozilla.org/show_bug.cgi?id=1212669

External References:

https://www.mozilla.org/en-US/security/advisories/mfsa2015-115/

Comment 1 Martin Prpič 2015-10-16 12:58:09 UTC

Fixed in Fedora in packages:

firefox-41.0.2-2.fc23
firefox-41.0.2-2.fc21
firefox-41.0.2-2.fc24
firefox-41.0.2-2.fc22

Comment 2 Martin Prpič 2015-10-16 12:58:55 UTC

Statement:

This issue did not affect the versions of firefox as shipped with Red Hat Enterprise Linux 5, 6, and 7.

Note You need to log in before you can comment on or make changes to this bug.