Bug 864414 (CVE-2013-6167) - VUL-0: CVE-2013-6167: MozillaFirefox: browser document.cookie DoS vulnerability
Summary: VUL-0: CVE-2013-6167: MozillaFirefox: browser document.cookie DoS vulnerability
Status: RESOLVED WORKSFORME
Alias: CVE-2013-6167
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Petr Cerny
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/96295/
Whiteboard: CVSSv2:RedHat:CVE-2013-6167:4.3:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-18 14:45 UTC by Victor Pereira
Modified: 2020-04-01 22:10 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-02-18 14:45:24 UTC 
CVE-2013-6167

Mozilla Firefox through 27 sends HTTP Cookie headers without first
validating that they have the required character-set restrictions,
which allows remote attackers to conduct the equivalent of a
persistent Logout CSRF attack via a crafted parameter that forces a
web application to set a malformed cookie within an HTTP response.

References:
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6167.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6167
http://www.cvedetails.com/cve/CVE-2013-6167/
https://bugzilla.redhat.com/show_bug.cgi?id=1066219
https://bugzilla.mozilla.org/show_bug.cgi?id=858215
Comment 1 Swamp Workflow Management 2014-02-18 23:00:37 UTC 
bugbot adjusting priority
Comment 2 SMASH SMASH 2014-02-19 10:25:27 UTC 
Affected packages:

SLE-11-SP3: MozillaFirefox
SLE-10-SP3-TERADATA: MozillaFirefox
SLE-11-SP2: MozillaFirefox
Comment 3 Marcus Meissner 2014-09-05 09:36:29 UTC 
not fixed upstream yet.
Comment 4 Johannes Segitz 2015-04-07 13:57:53 UTC 
no progress upstream
Comment 5 Marcus Meissner 2016-03-10 10:18:30 UTC 
status unchanged upstream
Comment 6 Andreas Stieger 2016-11-18 14:37:52 UTC 
resolved WONTFIX upstream