製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の Mozilla 製品の Web ワーカーの実装における同一生成元ポリシーを回避される脆弱性

Title	複数の Mozilla 製品の Web ワーカーの実装における同一生成元ポリシーを回避される脆弱性
Summary	Mozilla Firefox、Thunderbird、および SeaMonkey の Web ワーカーの実装には、同一生成元ポリシーを回避され、重要な認証情報を取得される脆弱性が存在します。
Possible impacts	第三者により、エラーメッセージに関する問題によって、同一生成元ポリシーを回避され、重要な認証情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 4, 2014, midnight
Registration Date	Feb. 7, 2014, 5:43 p.m.
Last Update	Feb. 25, 2014, 5:41 p.m.

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:P/I:N/A:N

Affected System

Mozilla Foundation

Mozilla Firefox 27.0 未満

Mozilla Firefox ESR 24.3 未満の 24.x

Mozilla SeaMonkey 2.24 未満

Mozilla Thunderbird 24.3 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-1487	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1487
National Vulnerability Database (NVD)
2	CVE-2014-1487	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1487

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-255	https://jvndb.jvn.jp/ja/cwe/CWE-255.html

ベンダー情報

No	Name	URL
Mozilla Foundation Security Advisory
1	MFSA2014-09	http://www.mozilla.org/security/announce/2014/mfsa2014-09.html
Mozilla Foundation セキュリティアドバイザリ
2	MFSA2014-09	http://www.mozilla-japan.org/security/announce/2014/mfsa2014-09.html
Red Hat Bugzilla
3	Bug 1060947	https://bugzilla.redhat.com/show_bug.cgi?id=1060947
Red Hat Security Advisory
4	RHSA-2014:0132	http://rhn.redhat.com/errata/RHSA-2014-0132.html
5	RHSA-2014:0132	http://rhn.redhat.com/errata/RHSA-2014-0133.html

その他

No	Name	URL
関連文書
1	Cyberfox 27.0.0	https://8pecxstudios.com/?page_id=44080

Change Log

No	Changed Details	Date of change
0	[2014年02月07日] 掲載 [2014年02月25日] ベンダ情報：レッドハット (Bug 1060947) を追加ベンダ情報：レッドハット (RHSA-2014:0132) を追加ベンダ情報：レッドハット (RHSA-2014:0133) を追加参考情報：関連文書 (Cyberfox 27.0.0) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2014-1487

Summary	The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages.
Publication Date	Feb. 6, 2014, 2:44 p.m.
Registration Date	Jan. 26, 2021, 3:06 p.m.
Last Update	Nov. 21, 2024, 11:04 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:mozilla:seamonkey::::::::				2.24
cpe:2.3:a:mozilla:firefox::::::::				27.0
cpe:2.3:a:mozilla:firefox_esr::::::::	24.0			24.3
cpe:2.3:a:mozilla:thunderbird::::::::				24.3

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:20:::::::*
cpe:2.3:o:fedoraproject:fedora:19:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:opensuse:opensuse:12.3:::::::*
cpe:2.3:a:suse:suse_linux_enterprise_software_development_kit:11.0:sp3::::::
cpe:2.3:o:opensuse:opensuse:11.4:::::::*
cpe:2.3:o:opensuse:opensuse:13.1:::::::*
cpe:2.3:o:suse:suse_linux_enterprise_desktop:11:sp3::::::
cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp3::::vmware::*
cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp3::::-::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:13.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.04::::esm:::

Configuration5		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:7.0:::::::*

Configuration6	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:6.5:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:6.5:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:6.5:::::::*

Related information, measures and tools

No	URL	タグ
1	http://download.novell.com/Download?buildid=VYQsgaFpQ2k	Broken Link
2	http://download.novell.com/Download?buildid=VYQsgaFpQ2k	Broken Link
3	http://download.novell.com/Download?buildid=Y2fux-JW1Qc	Broken Link
4	http://download.novell.com/Download?buildid=Y2fux-JW1Qc	Broken Link
5	http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127966.html	Mailing List Third Party Advisory
6	http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127966.html	Mailing List Third Party Advisory
7	http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129218.html	Mailing List Third Party Advisory
8	http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129218.html	Mailing List Third Party Advisory
9	http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html	Mailing List Third Party Advisory
10	http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html	Mailing List Third Party Advisory
11	http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html	Mailing List Third Party Advisory
12	http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html	Mailing List Third Party Advisory
13	http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.html	Mailing List Third Party Advisory
14	http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.html	Mailing List Third Party Advisory
15	http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.html	Mailing List Third Party Advisory
16	http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.html	Mailing List Third Party Advisory
17	http://osvdb.org/102873	Broken Link
18	http://osvdb.org/102873	Broken Link
19	http://rhn.redhat.com/errata/RHSA-2014-0132.html	Third Party Advisory
20	http://rhn.redhat.com/errata/RHSA-2014-0132.html	Third Party Advisory
21	http://rhn.redhat.com/errata/RHSA-2014-0133.html	Third Party Advisory
22	http://rhn.redhat.com/errata/RHSA-2014-0133.html	Third Party Advisory
23	http://secunia.com/advisories/56706	Broken Link
24	http://secunia.com/advisories/56706	Broken Link
25	http://secunia.com/advisories/56761	Broken Link
26	http://secunia.com/advisories/56761	Broken Link
27	http://secunia.com/advisories/56763	Broken Link
28	http://secunia.com/advisories/56763	Broken Link
29	http://secunia.com/advisories/56767	Broken Link
30	http://secunia.com/advisories/56767	Broken Link
31	http://secunia.com/advisories/56787	Broken Link
32	http://secunia.com/advisories/56787	Broken Link
33	http://secunia.com/advisories/56858	Broken Link
34	http://secunia.com/advisories/56858	Broken Link
35	http://secunia.com/advisories/56888	Broken Link
36	http://secunia.com/advisories/56888	Broken Link
37	http://secunia.com/advisories/56922	Broken Link
38	http://secunia.com/advisories/56922	Broken Link
39	http://www.debian.org/security/2014/dsa-2858	Third Party Advisory
40	http://www.debian.org/security/2014/dsa-2858	Third Party Advisory
41	http://www.mozilla.org/security/announce/2014/mfsa2014-09.html	Vendor Advisory
42	http://www.mozilla.org/security/announce/2014/mfsa2014-09.html	Vendor Advisory
43	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html	Third Party Advisory
44	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html	Third Party Advisory
45	http://www.securityfocus.com/bid/65330	Third Party Advisory VDB Entry
46	http://www.securityfocus.com/bid/65330	Third Party Advisory VDB Entry
47	http://www.securitytracker.com/id/1029717	Third Party Advisory VDB Entry
48	http://www.securitytracker.com/id/1029717	Third Party Advisory VDB Entry
49	http://www.securitytracker.com/id/1029720	Third Party Advisory VDB Entry
50	http://www.securitytracker.com/id/1029720	Third Party Advisory VDB Entry
51	http://www.securitytracker.com/id/1029721	Third Party Advisory VDB Entry
52	http://www.securitytracker.com/id/1029721	Third Party Advisory VDB Entry
53	http://www.ubuntu.com/usn/USN-2102-1	Third Party Advisory
54	http://www.ubuntu.com/usn/USN-2102-1	Third Party Advisory
55	http://www.ubuntu.com/usn/USN-2102-2	Third Party Advisory
56	http://www.ubuntu.com/usn/USN-2102-2	Third Party Advisory
57	http://www.ubuntu.com/usn/USN-2119-1	Third Party Advisory
58	http://www.ubuntu.com/usn/USN-2119-1	Third Party Advisory
59	https://8pecxstudios.com/?page_id=44080	Broken Link URL Repurposed
60	https://8pecxstudios.com/?page_id=44080	Broken Link URL Repurposed
61	https://bugzilla.mozilla.org/show_bug.cgi?id=947592	Exploit Issue Tracking Vendor Advisory
62	https://bugzilla.mozilla.org/show_bug.cgi?id=947592	Exploit Issue Tracking Vendor Advisory
63	https://exchange.xforce.ibmcloud.com/vulnerabilities/90889	Third Party Advisory VDB Entry
64	https://exchange.xforce.ibmcloud.com/vulnerabilities/90889	Third Party Advisory VDB Entry
65	https://security.gentoo.org/glsa/201504-01	Third Party Advisory
66	https://security.gentoo.org/glsa/201504-01	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-346	同一生成元ポリシー違反	https://cwe.mitre.org/data/definitions/346.html

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:opensuse:opensuse:12.3:::::::*
cpe:2.3:a:suse:suse_linux_enterprise_software_development_kit:11.0:sp3::::::
cpe:2.3:o:opensuse:opensuse:11.4:::::::*
cpe:2.3:o:opensuse:opensuse:13.1:::::::*
cpe:2.3:o:suse:suse_linux_enterprise_desktop:11:sp3::::::
cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp3::::vmware::*
cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp3::::-::*

Configuration6	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:6.5:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:6.5:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:6.5:::::::*