Bug 925398 - (CVE-2015-0807) VUL-0: CVE-2015-0807: MozillaFirefox: CORS requests should not follow 30x redirections after preflight (MFSA 2015-37)
VUL-0: CVE-2015-0807: MozillaFirefox: CORS requests should not follow 30x red...
Status: RESOLVED DUPLICATE of bug 925368
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
Blocks: CVE-2014-8638 925368
  Show dependency treegraph
Reported: 2015-04-01 10:33 UTC by Andreas Stieger
Modified: 2016-04-27 19:37 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-01 10:33:02 UTC
CORS requests should not follow 30x redirections after preflight

Announced:     March 31, 2015
Reporter:     Christoph Kerschbaumer, Muneaki Nishimura
Impact:     High
Products:     Firefox, Firefox ESR, Thunderbird
Fixed in:
        Firefox 37
        Firefox ESR 31.6
        Thunderbird 31.6


Mozilla developer Christoph Kerschbaumer discovered an issue while investigating Mozilla Foundation Security Advisory 2015-03, previously reported by security researcher Muneaki Nishimura. This flaw was that a cross-origin resource sharing (CORS) request should not follow 30x redirections after preflight according to the specification. This only affects sendBeacon() requests but could allow for a potential Cross-site request forgery (XSRF) attack from malicious websites.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.

Comment 1 Swamp Workflow Management 2015-04-01 13:07:41 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-15.
When done, reassign the bug to security-team@suse.de.
Comment 2 Swamp Workflow Management 2015-04-01 22:01:18 UTC
bugbot adjusting priority
Comment 4 Andreas Stieger 2015-04-02 08:43:48 UTC
merge into parent

*** This bug has been marked as a duplicate of bug 925368 ***
Comment 5 Swamp Workflow Management 2015-04-08 09:06:13 UTC
openSUSE-SU-2015:0677-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 925368,925392,925393,925394,925395,925396,925397,925398,925399,925400,925401,925402,926166
CVE References: CVE-2015-0799,CVE-2015-0801,CVE-2015-0802,CVE-2015-0803,CVE-2015-0804,CVE-2015-0805,CVE-2015-0806,CVE-2015-0807,CVE-2015-0808,CVE-2015-0811,CVE-2015-0812,CVE-2015-0813,CVE-2015-0814,CVE-2015-0815,CVE-2015-0816
Sources used:
openSUSE 13.2 (src):    MozillaFirefox-37.0.1-23.1, MozillaThunderbird-31.6.0-15.3, mozilla-nspr-4.10.8-6.1
openSUSE 13.1 (src):    MozillaFirefox-37.0.1-68.1, MozillaThunderbird-31.6.0-70.50.2, mozilla-nspr-4.10.8-22.1