The Public Key Pinning (PKP) implementation in Mozilla Firefox prior to 33.0 does not properly consider the connection-coalescing behavior of SPDY and HTTP/2 in the case of a shared IP address, which allows man-in-the-middle malicious users to bypass an intended pinning configuration and spoof a web site by providing a valid certificate from an arbitrary recognized Certification Authority.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
mozilla firefox 31.0 |
||
mozilla firefox 30.0 |
||
mozilla firefox |
||
mozilla firefox 31.1.0 |