製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の Mozilla 製品におけるクロスサイトリクエストフォージェリの脆弱性

Title	複数の Mozilla 製品におけるクロスサイトリクエストフォージェリの脆弱性
Summary	複数の Mozilla 製品は、サンドボックス内で作成された XMLHttpRequest オブジェクトに、サンドボックスのプリンシパルではなく、システムのプリンシパルを割り当てるため、クロスサイトリクエストフォージェリ攻撃を実行される、または重要な情報を取得される脆弱性が存在します。
Possible impacts	第三者により、サンドボックスのアドオンを利用されることで、クロスサイトリクエストフォージェリ攻撃を実行される、または重要な情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 20, 2012, midnight
Registration Date	Nov. 22, 2012, 12:08 p.m.
Last Update	Dec. 14, 2012, 4:40 p.m.

CVSS2.0 : 警告
Score	6.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:P

Affected System

Mozilla Foundation

Mozilla Firefox 17.0 未満

Mozilla SeaMonkey 2.14 未満

Mozilla Thunderbird 17.0 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-4205	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4205
National Vulnerability Database (NVD)
2	CVE-2012-4205	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4205

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-DesignError	https://www.ipa.go.jp/security/vuln/CWE.html#CWEDesignError

ベンダー情報

No	Name	URL
Mozilla Foundation Security Advisory
1	MFSA2012-97	http://www.mozilla.org/security/announce/2012/mfsa2012-97.html
Mozilla Foundation セキュリティアドバイザリ
2	MFSA2012-97	http://www.mozilla-japan.org/security/announce/2012/mfsa2012-97.html
opensuse-updates
3	openSUSE-SU-2012:1585	http://lists.opensuse.org/opensuse-updates/2012-11/msg00092.html
4	openSUSE-SU-2012:1586	http://lists.opensuse.org/opensuse-updates/2012-11/msg00093.html
Ubuntu Security Notice
5	USN-1638-1	http://www.ubuntu.com/usn/USN-1638-1/

Change Log

No	Changed Details	Date of change
0	[2012年11月22日] 掲載 [2012年12月14日] ベンダ情報：Ubuntu (USN-1638-1) を追加ベンダ情報：openSUSE (openSUSE-SU-2012:1585) を追加ベンダ情報：openSUSE (openSUSE-SU-2012:1586) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2012-4205

Summary	Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 assign the system principal, rather than the sandbox principal, to XMLHttpRequest objects created in sandboxes, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks or obtain sensitive information by leveraging a sandboxed add-on.
Publication Date	Nov. 21, 2012, 9:55 p.m.
Registration Date	Jan. 28, 2021, 3:02 p.m.
Last Update	Nov. 21, 2024, 10:42 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:mozilla:firefox::::::::				17.0
cpe:2.3:a:mozilla:seamonkey::::::::				2.14
cpe:2.3:a:mozilla:thunderbird::::::::				17.0

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:11.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.04::::esm:::
cpe:2.3:o:canonical:ubuntu_linux:10.04:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:suse:linux_enterprise_desktop:11:sp2::::::
cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp3::::::
cpe:2.3:o:opensuse:opensuse:11.4:::::::*
cpe:2.3:o:opensuse:opensuse:12.2:::::::*
cpe:2.3:o:opensuse:opensuse:12.1:::::::*
cpe:2.3:o:suse:linux_enterprise_server:11:sp2::::vmware::*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp2::::::
cpe:2.3:o:suse:linux_enterprise_server:11:sp2::::-::*
cpe:2.3:o:suse:linux_enterprise_desktop:10:sp4:::-:::*
cpe:2.3:o:suse:linux_enterprise_server:10:sp4:::-:::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html	Mailing List Third Party Advisory
2	http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html	Mailing List Third Party Advisory
3	http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00022.html	Mailing List Third Party Advisory
4	http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00022.html	Mailing List Third Party Advisory
5	http://lists.opensuse.org/opensuse-updates/2012-11/msg00090.html	Mailing List Third Party Advisory
6	http://lists.opensuse.org/opensuse-updates/2012-11/msg00090.html	Mailing List Third Party Advisory
7	http://lists.opensuse.org/opensuse-updates/2012-11/msg00092.html	Mailing List Third Party Advisory
8	http://lists.opensuse.org/opensuse-updates/2012-11/msg00092.html	Mailing List Third Party Advisory
9	http://lists.opensuse.org/opensuse-updates/2012-11/msg00093.html	Mailing List Third Party Advisory
10	http://lists.opensuse.org/opensuse-updates/2012-11/msg00093.html	Mailing List Third Party Advisory
11	http://secunia.com/advisories/51369	Broken Link
12	http://secunia.com/advisories/51369	Broken Link
13	http://secunia.com/advisories/51370	Broken Link
14	http://secunia.com/advisories/51370	Broken Link
15	http://secunia.com/advisories/51381	Broken Link
16	http://secunia.com/advisories/51381	Broken Link
17	http://secunia.com/advisories/51434	Broken Link
18	http://secunia.com/advisories/51434	Broken Link
19	http://secunia.com/advisories/51439	Broken Link
20	http://secunia.com/advisories/51439	Broken Link
21	http://secunia.com/advisories/51440	Broken Link
22	http://secunia.com/advisories/51440	Broken Link
23	http://www.mozilla.org/security/announce/2012/mfsa2012-97.html	Vendor Advisory
24	http://www.mozilla.org/security/announce/2012/mfsa2012-97.html	Vendor Advisory
25	http://www.securityfocus.com/bid/56621	Third Party Advisory VDB Entry
26	http://www.securityfocus.com/bid/56621	Third Party Advisory VDB Entry
27	http://www.ubuntu.com/usn/USN-1636-1	Third Party Advisory
28	http://www.ubuntu.com/usn/USN-1636-1	Third Party Advisory
29	http://www.ubuntu.com/usn/USN-1638-1	Third Party Advisory
30	http://www.ubuntu.com/usn/USN-1638-1	Third Party Advisory
31	http://www.ubuntu.com/usn/USN-1638-2	Third Party Advisory
32	http://www.ubuntu.com/usn/USN-1638-2	Third Party Advisory
33	http://www.ubuntu.com/usn/USN-1638-3	Third Party Advisory
34	http://www.ubuntu.com/usn/USN-1638-3	Third Party Advisory
35	https://bugzilla.mozilla.org/show_bug.cgi?id=779821	Issue Tracking Vendor Advisory
36	https://bugzilla.mozilla.org/show_bug.cgi?id=779821	Issue Tracking Vendor Advisory
37	https://exchange.xforce.ibmcloud.com/vulnerabilities/80175	Third Party Advisory VDB Entry
38	https://exchange.xforce.ibmcloud.com/vulnerabilities/80175	Third Party Advisory VDB Entry
39	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16965	Third Party Advisory
40	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16965	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-352	クロスサイト・リクエスト・フォージェリ（CSRF）	https://cwe.mitre.org/data/definitions/352.html
2	CWE-352	同一生成元ポリシー違反	https://cwe.mitre.org/data/definitions/346.html

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:suse:linux_enterprise_desktop:11:sp2::::::
cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp3::::::
cpe:2.3:o:opensuse:opensuse:11.4:::::::*
cpe:2.3:o:opensuse:opensuse:12.2:::::::*
cpe:2.3:o:opensuse:opensuse:12.1:::::::*
cpe:2.3:o:suse:linux_enterprise_server:11:sp2::::vmware::*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp2::::::
cpe:2.3:o:suse:linux_enterprise_server:11:sp2::::-::*
cpe:2.3:o:suse:linux_enterprise_desktop:10:sp4:::-:::*
cpe:2.3:o:suse:linux_enterprise_server:10:sp4:::-:::*