CVE-2008-7293
Published: 9 August 2011
Mozilla Firefox before 4 cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response, related to lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, aka a "cookie forcing" issue.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
firefox Launchpad, Ubuntu, Debian |
hardy |
Ignored
(uses system xulrunner)
|
| lucid |
Released
(3.6.23+build1+nobinonly-0ubuntu0.10.04.1)
|
|
| maverick |
Released
(3.6.23+build1+nobinonly-0ubuntu0.10.04.1)
|
|
| natty |
Not vulnerable
(7.0.1+build1+nobinonly-0ubuntu0.11.04.1)
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Not vulnerable
|
|
| upstream |
Released
(3.6)
|
|
|
firefox-3.0 Launchpad, Ubuntu, Debian |
hardy |
Released
(3.6.17+build3+nobinonly-0ubuntu0.8.04.1)
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| upstream |
Needs triage
(Ubuntu source uses 3.6.x)
|
|
|
firefox-3.5 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| upstream |
Needs triage
(Ubuntu source uses 3.6.x)
|
|
|
seamonkey Launchpad, Ubuntu, Debian |
hardy |
Ignored
(reached end-of-life)
|
| lucid |
Not vulnerable
|
|
| maverick |
Not vulnerable
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
|
thunderbird Launchpad, Ubuntu, Debian |
hardy |
Ignored
(reached end-of-life)
|
| lucid |
Not vulnerable
|
|
| maverick |
Not vulnerable
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
|
xulrunner-1.9.2 Launchpad, Ubuntu, Debian |
hardy |
Not vulnerable
|
| lucid |
Not vulnerable
|
|
| maverick |
Not vulnerable
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
xulrunner-2.0 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| upstream |
Needs triage
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7293
- http://scarybeastsecurity.blogspot.com/2011/02/some-less-obvious-benefits-of-hsts.html
- http://scarybeastsecurity.blogspot.com/2008/11/cookie-forcing.html
- http://michael-coates.blogspot.com/2010/01/cookie-forcing-trust-your-cookies-no.html
- NVD
- Launchpad
- Debian