The Public Key Pinning (PKP) implementation in Mozilla Firefox before 33.0 does not properly consider the connection-coalescing behavior of SPDY and HTTP/2 in the case of a shared IP address, which allows man-in-the-middle attackers to bypass an intended pinning configuration and spoof a web site by providing a valid certificate from an arbitrary recognized Certification Authority.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mozilla
Published: 2014-10-15T10:00:00
Updated: 2016-12-20T16:57:01
Reserved: 2014-01-16T00:00:00
Link: CVE-2014-1582
JSON object: View
NVD Information
Status : Modified
Published: 2014-10-15T10:55:06.897
Modified: 2016-12-22T02:59:13.937
Link: CVE-2014-1582
JSON object: View
Redhat Information
No data.
CWE