CVE-2016-1939 — Sensitive Information Exposure in Mozilla Firefox

CWE-200 — Sensitive Information Exposure9 documents6 sources

Severity

5.3MEDIUMNVD

OSV9.8OSV5.0

EPSS

0.6%

top 30.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Opensuse Leap Opensuse

Timeline

PublishedJan 31

Latest updateMay 14

Description

Mozilla Firefox before 44.0 stores cookies with names containing vertical tab characters, which allows remote attackers to obtain sensitive information by reading HTTP Cookie headers. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-7208.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶Ubuntumozilla/firefox< 44.0+build3-0ubuntu0.14.04.1+1

▶NVDmozilla/firefox43.0.4

▶NVDopensuse/leap42.1

▶NVDopensuse/opensuse13.1, 13.2+1

🔴Vulnerability Details

GHSA

GHSA-r5m5-v5v5-wq3f: Mozilla Firefox before 44↗2022-05-14

▶

OSV

firefox regression↗2016-02-08

▶

OSV

firefox vulnerabilities↗2016-01-27

▶

OSV

CVE-2016-1939: Mozilla Firefox before 44↗2016-01-26

▶

📋Vendor Advisories

Ubuntu

Firefox regression↗2016-02-08

▶

Ubuntu

Firefox vulnerabilities↗2016-01-27

▶

Red Hat

Mozilla: Firefox allows for control characters to be set in cookie names (MFSA 2016-04)↗2016-01-26

▶

💬Community

Bugzilla

CVE-2016-1939 Mozilla: Firefox allows for control characters to be set in cookie names (MFSA 2016-04)↗2016-01-26

▶