Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2014-8639

Disclosure Date: January 14, 2015 •

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 do not properly interpret Set-Cookie headers within responses that have a 407 (aka Proxy Authentication Required) status code, which allows remote HTTP proxy servers to conduct session fixation attacks by providing a cookie name that corresponds to the session cookie of the origin server.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

References

Canonical

CVE-2014-8639 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8639)

BID-72046 (http://www.securityfocus.com/bid/72046)

Advisory

http://rhn.redhat.com/errata/RHSA-2015-0046.html

SECUNIA-62242 (http://secunia.com/advisories/62242)

SECTRACK-1031533 (http://www.securitytracker.com/id/1031533)

USN-2460-1 (http://www.ubuntu.com/usn/USN-2460-1)

http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html

SECUNIA-62304 (http://secunia.com/advisories/62304)

http://linux.oracle.com/errata/ELSA-2015-0047.html

SECUNIA-62259 (http://secunia.com/advisories/62259)

SECUNIA-62250 (http://secunia.com/advisories/62250)

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html

SECUNIA-62237 (http://secunia.com/advisories/62237)

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html

SECUNIA-62418 (http://secunia.com/advisories/62418)

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html

SECUNIA-62316 (http://secunia.com/advisories/62316)

DSA-3132 (http://www.debian.org/security/2015/dsa-3132)

SECUNIA-62274 (http://secunia.com/advisories/62274)

XF-firefox-cve20148639-session-hijacking(99959) (https://exchange.xforce.ibmcloud.com/vulnerabilities/99959)

GLSA-201504-01 (https://security.gentoo.org/glsa/201504-01)

SECUNIA-62313 (http://secunia.com/advisories/62313)

http://rhn.redhat.com/errata/RHSA-2015-0047.html

SECUNIA-62790 (http://secunia.com/advisories/62790)

SECUNIA-62293 (http://secunia.com/advisories/62293)

SECUNIA-62283 (http://secunia.com/advisories/62283)

SECUNIA-62446 (http://secunia.com/advisories/62446)

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

SECUNIA-62657 (http://secunia.com/advisories/62657)

SECUNIA-62273 (http://secunia.com/advisories/62273)

http://www.mozilla.org/security/announce/2014/mfsa2015-04.html

http://lists.opensuse.org/opensuse-updates/2015-01/msg00071.html

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html

DSA-3127 (http://www.debian.org/security/2015/dsa-3127)

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html

SECUNIA-62315 (http://secunia.com/advisories/62315)

http://linux.oracle.com/errata/ELSA-2015-0046.html

SECUNIA-62253 (http://secunia.com/advisories/62253)

SECTRACK-1031534 (http://www.securitytracker.com/id/1031534)

https://bugzilla.mozilla.org/show_bug.cgi?id=1095859

Rapid7

Technical Analysis