CVE-2014-1582 - OpenCVE

The Public Key Pinning (PKP) implementation in Mozilla Firefox before 33.0 does not properly consider the connection-coalescing behavior of SPDY and HTTP/2 in the case of a shared IP address, which allows man-in-the-middle attackers to bypass an intended pinning configuration and spoof a web site by providing a valid certificate from an arbitrary recognized Certification Authority.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mozilla	Firefox

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:firefox:30.0:::::::*
	cpe:2.3:a:mozilla:firefox:31.0:::::::*
	cpe:2.3:a:mozilla:firefox:31.1.0:::::::*

References

Link	Resource
http://lists.fedoraproject.org/pipermail/package-announce/2014-November/141796.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141085.html
http://lists.opensuse.org/opensuse-updates/2014-11/msg00001.html
http://lists.opensuse.org/opensuse-updates/2014-11/msg00002.html
http://secunia.com/advisories/62022
http://secunia.com/advisories/62023
http://www.mozilla.org/security/announce/2014/mfsa2014-80.html	Vendor Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securityfocus.com/bid/70432
http://www.securitytracker.com/id/1031028
http://www.ubuntu.com/usn/USN-2372-1
https://bugzilla.mozilla.org/show_bug.cgi?id=1049095
https://security.gentoo.org/glsa/201504-01

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mozilla

Published: 2014-10-15T10:00:00

Updated: 2016-12-20T16:57:01

Reserved: 2014-01-16T00:00:00

Link: CVE-2014-1582

JSON object: View

NVD Information

Status : Modified

Published: 2014-10-15T10:55:06.897

Modified: 2016-12-22T02:59:13.937

Link: CVE-2014-1582

JSON object: View

Redhat Information

No data.

CWE

CWE-310

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-10-14T00:00:00", "descriptions": [{"lang": "en", "value": "The Public Key Pinning (PKP) implementation in Mozilla Firefox before 33.0 does not properly consider the connection-coalescing behavior of SPDY and HTTP/2 in the case of a shared IP address, which allows man-in-the-middle attackers to bypass an intended pinning configuration and spoof a web site by providing a valid certificate from an arbitrary recognized Certification Authority."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-20T16:57:01", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1049095"}, {"name": "openSUSE-SU-2014:1344", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00001.html"}, {"name": "FEDORA-2014-13042", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141085.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.mozilla.org/security/announce/2014/mfsa2014-80.html"}, {"name": "1031028", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1031028"}, {"name": "openSUSE-SU-2014:1345", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00002.html"}, {"name": "GLSA-201504-01", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201504-01"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"name": "FEDORA-2014-14084", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-November/141796.html"}, {"name": "USN-2372-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2372-1"}, {"name": "62022", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/62022"}, {"name": "62023", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/62023"}, {"name": "70432", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/70432"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2014-1582", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Public Key Pinning (PKP) implementation in Mozilla Firefox before 33.0 does not properly consider the connection-coalescing behavior of SPDY and HTTP/2 in the case of a shared IP address, which allows man-in-the-middle attackers to bypass an intended pinning configuration and spoof a web site by providing a valid certificate from an arbitrary recognized Certification Authority."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1049095", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1049095"}, {"name": "openSUSE-SU-2014:1344", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00001.html"}, {"name": "FEDORA-2014-13042", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141085.html"}, {"name": "http://www.mozilla.org/security/announce/2014/mfsa2014-80.html", "refsource": "CONFIRM", "url": "http://www.mozilla.org/security/announce/2014/mfsa2014-80.html"}, {"name": "1031028", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1031028"}, {"name": "openSUSE-SU-2014:1345", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00002.html"}, {"name": "GLSA-201504-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201504-01"}, {"name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"name": "FEDORA-2014-14084", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-November/141796.html"}, {"name": "USN-2372-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2372-1"}, {"name": "62022", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/62022"}, {"name": "62023", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/62023"}, {"name": "70432", "refsource": "BID", "url": "http://www.securityfocus.com/bid/70432"}]}}}}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2014-1582", "datePublished": "2014-10-15T10:00:00", "dateReserved": "2014-01-16T00:00:00", "dateUpdated": "2016-12-20T16:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "97A0B769-5287-4E95-874B-F1D7FC41C7AF", "versionEndIncluding": "32.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:30.0:*:*:*:*:*:*:*", "matchCriteriaId": "38EBC9E7-46AD-4DCD-AA7B-5071F55E3755", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:31.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11F024A-A8B7-405B-8A13-4BF406FBDB22", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:31.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "D81A3698-797C-4CD9-BB02-A9182E0A6E11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Public Key Pinning (PKP) implementation in Mozilla Firefox before 33.0 does not properly consider the connection-coalescing behavior of SPDY and HTTP/2 in the case of a shared IP address, which allows man-in-the-middle attackers to bypass an intended pinning configuration and spoof a web site by providing a valid certificate from an arbitrary recognized Certification Authority."}, {"lang": "es", "value": "La implementaci\u00f3n Public Key Pinning (PKP) en Mozilla Firefox anterior a 33.0 no considera debidamente el comportamiento de la integraci\u00f3n de conexiones (connection-coalescing) de SPDY y HTTP/2 en el caso de una direcci\u00f3n IP compartida, lo que permite a atacantes man-in-the-middle evadir una configuraci\u00f3n de fijaci\u00f3n (pinning) y suplantar un sitio web mediante la provisi\u00f3n de un certificado v\u00e1lido de una autoridad de certificaci\u00f3n reconocida y arbitraria."}], "id": "CVE-2014-1582", "lastModified": "2016-12-22T02:59:13.937", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-10-15T10:55:06.897", "references": [{"source": "security@mozilla.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-November/141796.html"}, {"source": "security@mozilla.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141085.html"}, {"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00001.html"}, {"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00002.html"}, {"source": "security@mozilla.org", "url": "http://secunia.com/advisories/62022"}, {"source": "security@mozilla.org", "url": "http://secunia.com/advisories/62023"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "http://www.mozilla.org/security/announce/2014/mfsa2014-80.html"}, {"source": "security@mozilla.org", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"source": "security@mozilla.org", "url": "http://www.securityfocus.com/bid/70432"}, {"source": "security@mozilla.org", "url": "http://www.securitytracker.com/id/1031028"}, {"source": "security@mozilla.org", "url": "http://www.ubuntu.com/usn/USN-2372-1"}, {"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1049095"}, {"source": "security@mozilla.org", "url": "https://security.gentoo.org/glsa/201504-01"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}