FKIE_CVE-2015-7215

Vulnerability from fkie_nvd - Published: 2015-12-16 11:59 - Updated: 2026-05-06 22:30
Severity
Summary
The importScripts function in the Web Workers API implementation in Mozilla Firefox before 43.0 allows remote attackers to bypass the Same Origin Policy by triggering use of the no-cors mode in the fetch API to attempt resource access that throws an exception, leading to information disclosure after a rethrow.
References
security@mozilla.orghttp://lists.fedoraproject.org/pipermail/package-announce/2015-December/174083.html
security@mozilla.orghttp://lists.fedoraproject.org/pipermail/package-announce/2015-December/174253.html
security@mozilla.orghttp://lists.opensuse.org/opensuse-updates/2015-12/msg00104.html
security@mozilla.orghttp://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html
security@mozilla.orghttp://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html
security@mozilla.orghttp://www.mozilla.org/security/announce/2015/mfsa2015-140.htmlVendor Advisory
security@mozilla.orghttp://www.securityfocus.com/bid/79280
security@mozilla.orghttp://www.securitytracker.com/id/1034426
security@mozilla.orghttp://www.ubuntu.com/usn/USN-2833-1
security@mozilla.orghttps://bugzilla.mozilla.org/show_bug.cgi?id=1160890
security@mozilla.orghttps://github.com/whatwg/html/issues/164
security@mozilla.orghttps://github.com/whatwg/html/pull/166
security@mozilla.orghttps://security.gentoo.org/glsa/201512-10
security@mozilla.orghttps://www.w3.org/Bugs/Public/show_bug.cgi?id=28961Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174083.html
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174253.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2015-12/msg00104.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html
af854a3a-2127-422b-91ae-364da2661108http://www.mozilla.org/security/announce/2015/mfsa2015-140.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/79280
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id/1034426
af854a3a-2127-422b-91ae-364da2661108http://www.ubuntu.com/usn/USN-2833-1
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.mozilla.org/show_bug.cgi?id=1160890
af854a3a-2127-422b-91ae-364da2661108https://github.com/whatwg/html/issues/164
af854a3a-2127-422b-91ae-364da2661108https://github.com/whatwg/html/pull/166
af854a3a-2127-422b-91ae-364da2661108https://security.gentoo.org/glsa/201512-10
af854a3a-2127-422b-91ae-364da2661108https://www.w3.org/Bugs/Public/show_bug.cgi?id=28961Vendor Advisory
Impacted products
Vendor Product Version
fedoraproject fedora 22
fedoraproject fedora 23
opensuse leap 42.1
opensuse opensuse 13.1
opensuse opensuse 13.2
mozilla firefox *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
              "matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*",
              "matchCriteriaId": "E79AB8DD-C907-4038-A931-1A5A4CFB6A5B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "4863BE36-D16A-4D75-90D9-FD76DB5B48B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "735317AD-14B8-4A73-B5B0-6A4C84FC202E",
              "versionEndIncluding": "42.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The importScripts function in the Web Workers API implementation in Mozilla Firefox before 43.0 allows remote attackers to bypass the Same Origin Policy by triggering use of the no-cors mode in the fetch API to attempt resource access that throws an exception, leading to information disclosure after a rethrow."
    },
    {
      "lang": "es",
      "value": "La funci\u00f3n importScripts en la implementaci\u00f3n API Web Workers en Mozilla Firefox en versiones anteriores a 43.0 permite a atacantes remotos eludir la Same Origin Policy desencadenando el uso del modo no-cors en la API fetch para intentar acceder a los recursos que producen una excepci\u00f3n, dando lugar a la divulgaci\u00f3n de informaci\u00f3n despu\u00e9s de un volver a lanzar."
    }
  ],
  "id": "CVE-2015-7215",
  "lastModified": "2026-05-06T22:30:45.220",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2015-12-16T11:59:13.540",
  "references": [
    {
      "source": "security@mozilla.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174083.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174253.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00104.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-140.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://www.securityfocus.com/bid/79280"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://www.securitytracker.com/id/1034426"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://www.ubuntu.com/usn/USN-2833-1"
    },
    {
      "source": "security@mozilla.org",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1160890"
    },
    {
      "source": "security@mozilla.org",
      "url": "https://github.com/whatwg/html/issues/164"
    },
    {
      "source": "security@mozilla.org",
      "url": "https://github.com/whatwg/html/pull/166"
    },
    {
      "source": "security@mozilla.org",
      "url": "https://security.gentoo.org/glsa/201512-10"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.w3.org/Bugs/Public/show_bug.cgi?id=28961"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174083.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174253.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00104.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-140.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/79280"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1034426"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-2833-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1160890"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/whatwg/html/issues/164"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/whatwg/html/pull/166"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.gentoo.org/glsa/201512-10"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.w3.org/Bugs/Public/show_bug.cgi?id=28961"
    }
  ],
  "sourceIdentifier": "security@mozilla.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.