Vulnerability Description
Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 do not enforce key pinning upon encountering an X.509 certificate problem that generates a user dialog, which allows user-assisted man-in-the-middle attackers to bypass intended access restrictions by triggering a (1) expired certificate or (2) mismatched hostname for a domain with pinning enabled.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | <= 38.1.0 |
| Oracle | Solaris | 11.3 |
| Mozilla | Firefox Esr | 31.1 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html
- http://rhn.redhat.com/errata/RHSA-2015-1207.html
- http://rhn.redhat.com/errata/RHSA-2015-1455.html
- http://www.mozilla.org/security/announce/2015/mfsa2015-67.htmlVendor Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlThird Party Advisory
- http://www.securityfocus.com/bid/75541
- http://www.securitytracker.com/id/1032783
- http://www.securitytracker.com/id/1032784
- http://www.ubuntu.com/usn/USN-2656-1
- http://www.ubuntu.com/usn/USN-2656-2
- https://bugzilla.mozilla.org/show_bug.cgi?id=1147497Issue TrackingVendor Advisory
- https://security.gentoo.org/glsa/201512-10
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html
- http://rhn.redhat.com/errata/RHSA-2015-1207.html
FAQ
What is CVE-2015-2741?
CVE-2015-2741 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 do not enforce key pinning upon encountering an X.509 certificate problem that generates a user dialog, which all...
How severe is CVE-2015-2741?
CVE-2015-2741 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-2741?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Oracle Solaris, Mozilla Firefox Esr.