Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2015-0799

Published: 08/04/2015 Updated: 30/10/2018
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Subscribe to Ubuntu Linux

Vulnerability Summary

The HTTP Alternative Services feature in Mozilla Firefox prior to 37.0.1 allows man-in-the-middle malicious users to bypass an intended X.509 certificate-verification step for an SSL server by specifying that server in the uri-host field of an Alt-Svc HTTP/2 response header.

Vulnerable Product Search on Vulmon Subscribe to Product

canonical ubuntu linux 12.04

canonical ubuntu linux 14.04

canonical ubuntu linux 14.10

opensuse opensuse 13.2

opensuse opensuse 13.1

mozilla firefox

Vendor Advisories

Ubuntu Security Notice: firefox vulnerability
Firefox could be made to bypass SSL certificate verification ...
Mozilla: Certificate verification bypass through the HTTP/2 Alt-Svc header
Mozilla Foundation Security Advisory 2015-44 Certificate verification bypass through the HTTP/2 Alt-Svc header Announced April 3, 2015 Reporter Muneaki Nishimura Impact Critical Products Firefox, SeaMonkey Fixed in ...
Red Hat: CVE-2015-0799
The HTTP Alternative Services feature in Mozilla Firefox before 3701 allows man-in-the-middle attackers to bypass an intended X509 certificate-verification step for an SSL server by specifying that server in the uri-host field of an Alt-Svc HTTP/2 response header ...

Recent Articles

Can't patch this: Mozilla pulls Firefox encryption feature after just a week
The Register • John Leyden • 07 Apr 2015

Stop right there. This thing ain’t ready

Mozilla has pulled Firefox 37's opportunistic encryption feature after less than a week when it learned that tech designed to enhance security actually broke SSL certificate validation. A simple patch wouldn't do the trick, so Mozilla opted to release an update, Firefox 37.0.1, that removed opportunistic encryption. Going into reverse ferret mode and stripping out technology that evidently wasn't ready for prime time is a little embarrassing for Mozilla even though this is the responsible action...

Read more...

References

CWE-20http://www.mozilla.org/security/announce/2015/mfsa2015-44.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=1148328http://www.securitytracker.com/id/1032030http://www.ubuntu.com/usn/USN-2557-1http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttps://security.gentoo.org/glsa/201512-10https://usn.ubuntu.com/2557-1/https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2015-0799
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-48654CVE-2024-2757authentication bypassCVE-2024-3194CVE-2024-33640CVE-2024-21111dosinsecure direct object referenceCVE-2024-21345
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook