CVE-2014-8639

Published: Jan 14, 2015Modified: May 6, 2026

6.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability: 8.6 / Impact: 6.4

Source: NVD

Description

Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 do not properly interpret Set-Cookie headers within responses that have a 407 (aka Proxy Authentication Required) status code, which allows remote HTTP proxy servers to conduct session fixation attacks by providing a cookie name that corresponds to the session cookie of the origin server.

Affected (8)

Products: Mozilla: Seamonkey, Firefox, Firefox Esr, Thunderbird

4 products

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Seamonkey	Up to 2.31

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Up to 34.0.5

Configuration C

5 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Version 31.0
Mozilla Firefox	Version 31.1.0
Mozilla Firefox	Version 31.1.1
Mozilla Firefox	Version 31.3.0
Mozilla Firefox Esr	Version 31.2

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Thunderbird	Up to 31.3.0

References (78)

http://linux.oracle.com/errata/ELSA-2015-0046.html

Source: security@mozilla.org

http://linux.oracle.com/errata/ELSA-2015-0047.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-updates/2015-01/msg00071.html

Source: security@mozilla.org

http://rhn.redhat.com/errata/RHSA-2015-0046.html

Source: security@mozilla.org

http://rhn.redhat.com/errata/RHSA-2015-0047.html

Source: security@mozilla.org

http://secunia.com/advisories/62237

Source: security@mozilla.org

http://secunia.com/advisories/62242

Source: security@mozilla.org

http://secunia.com/advisories/62250

Source: security@mozilla.org

http://secunia.com/advisories/62253

Source: security@mozilla.org

http://secunia.com/advisories/62259

Source: security@mozilla.org

http://secunia.com/advisories/62273

Source: security@mozilla.org

http://secunia.com/advisories/62274

Source: security@mozilla.org

http://secunia.com/advisories/62283

Source: security@mozilla.org

http://secunia.com/advisories/62293

Source: security@mozilla.org

http://secunia.com/advisories/62304

Source: security@mozilla.org

http://secunia.com/advisories/62313

Source: security@mozilla.org

http://secunia.com/advisories/62315

Source: security@mozilla.org

http://secunia.com/advisories/62316

Source: security@mozilla.org

http://secunia.com/advisories/62418

Source: security@mozilla.org

http://secunia.com/advisories/62446

Source: security@mozilla.org

http://secunia.com/advisories/62657

Source: security@mozilla.org

http://secunia.com/advisories/62790

Source: security@mozilla.org

http://www.debian.org/security/2015/dsa-3127

Source: security@mozilla.org

http://www.debian.org/security/2015/dsa-3132

Source: security@mozilla.org

http://www.mozilla.org/security/announce/2014/mfsa2015-04.html

Source: security@mozilla.org

Vendor Advisory

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

Source: security@mozilla.org

http://www.securityfocus.com/bid/72046

Source: security@mozilla.org

http://www.securitytracker.com/id/1031533

Source: security@mozilla.org

http://www.securitytracker.com/id/1031534

Source: security@mozilla.org

http://www.ubuntu.com/usn/USN-2460-1

Source: security@mozilla.org

https://bugzilla.mozilla.org/show_bug.cgi?id=1095859

Source: security@mozilla.org

https://exchange.xforce.ibmcloud.com/vulnerabilities/99959

Source: security@mozilla.org

https://security.gentoo.org/glsa/201504-01

Source: security@mozilla.org

http://linux.oracle.com/errata/ELSA-2015-0046.html