CVE-2014-1582
Last modified
CVE-2014-1582 is a vulnerability of currently unknown severity. The Public Key Pinning (PKP) implementation in Mozilla Firefox before 33.0 does not properly consider the connection-coalescing behavior of SPDY and HTTP/2 in the case of a shared IP address, which allows man-in-the-middle attackers to bypass an intended pinning configuration and spoof a web site by providing a valid certificate from an arbitrary recognized Certification Authority.. EPSS estimates a 1.20% chance of exploitation in the next 30 days.
Description
The Public Key Pinning (PKP) implementation in Mozilla Firefox before 33.0 does not properly consider the connection-coalescing behavior of SPDY and HTTP/2 in the case of a shared IP address, which allows man-in-the-middle attackers to bypass an intended pinning configuration and spoof a web site by providing a valid certificate from an arbitrary recognized Certification Authority.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | <= 32.0 |
| Mozilla | Firefox | 30.0 |
| Mozilla | Firefox | 31.0 |
| Mozilla | Firefox | 31.1.0 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2014-1582?
How severe is CVE-2014-1582?
How do I fix CVE-2014-1582?
Are you affected by CVE-2014-1582?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST