CVE-2011-2990

Published: 17 August 2011

The implementation of Content Security Policy (CSP) violation reports in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, and possibly other products does not remove proxy-authorization credentials from the listed request headers, which allows attackers to obtain sensitive information by reading a report, related to incorrect host resolution that occurs with certain redirects.

Priority

Medium

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
Upstream
Released (6.0)
firefox-3.0
Launchpad, Ubuntu, Debian
Upstream Needs triage
(Ubuntu source uses 3.6.x)
firefox-3.5
Launchpad, Ubuntu, Debian
Upstream Needs triage
(Ubuntu source uses 3.6.x)
seamonkey
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

thunderbird
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

xulrunner-1.9.2
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

xulrunner-2.0
Launchpad, Ubuntu, Debian
Upstream Needed