CVE-2015-0832 — Mozilla Firefox vulnerability

CWE-2549 documents6 sources

Severity

5.0MEDIUMNVD

OSV4.3

EPSS

0.1%

top 69.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Canonical Ubuntu Linux Opensuse

Timeline

PublishedFeb 25

Latest updateMay 14

Description

Mozilla Firefox before 36.0 does not properly recognize the equivalence of domain names with and without a trailing . (dot) character, which allows man-in-the-middle attackers to bypass the HPKP and HSTS protection mechanisms by constructing a URL with this character and leveraging access to an X.509 certificate for a domain with this character.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶Ubuntumozilla/firefox< 36.0+build2-0ubuntu0.14.04.4+1

▶NVDmozilla/firefox35.0.1+214

▶NVDopensuse/opensuse13.1, 13.2+1

Also affects: Ubuntu Linux 12.04, 14.04, 14.10

🔴Vulnerability Details

GHSA

GHSA-vmh3-65w6-vq3x: Mozilla Firefox before 36↗2022-05-14

▶

OSV

firefox regression↗2015-03-09

▶

OSV

firefox vulnerabilities↗2015-02-25

▶

OSV

CVE-2015-0832: Mozilla Firefox before 36↗2015-02-25

▶

📋Vendor Advisories

Ubuntu

Firefox regression↗2015-03-09

▶

Ubuntu

Firefox vulnerabilities↗2015-02-25

▶

Red Hat

Mozilla: Appended period to hostnames can bypass HPKP and HSTS protections (MFSA 2015-13)↗2015-02-24

▶

💬Community

Bugzilla

CVE-2015-0832 Mozilla: Appended period to hostnames can bypass HPKP and HSTS protections (MFSA 2015-13)↗2015-02-24

▶