CVE-2015-2741 — Mozilla Firefox vulnerability

CWE-3109 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 37.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird Mozilla Firefox ESR +1 more

Timeline

PublishedJul 6

Latest updateMay 17

Description

Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 do not enforce key pinning upon encountering an X.509 certificate problem that generates a user dialog, which allows user-assisted man-in-the-middle attackers to bypass intended access restrictions by triggering a (1) expired certificate or (2) mismatched hostname for a domain with pinning enabled.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages5 packages

▶Ubuntumozilla/firefox< 39.0+build5-0ubuntu0.14.04.1

▶NVDmozilla/firefox38.1.0+8

▶NVDmozilla/firefox_esr7 versions+6

▶Ubuntumozilla/thunderbird< 1:31.8.0+build1-0ubuntu0.14.04.1

▶NVDoracle/solaris11.3

🔴Vulnerability Details

GHSA

GHSA-7wmj-q9mp-9x7x: Mozilla Firefox before 39↗2022-05-17

▶

OSV

firefox vulnerabilities↗2015-07-09

▶

CVEList

CVE-2015-2741: Mozilla Firefox before 39↗2015-07-06

▶

OSV

CVE-2015-2741: Mozilla Firefox before 39↗2015-07-05

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2015-07-15

▶

Ubuntu

Firefox vulnerabilities↗2015-07-09

▶

Red Hat

Mozilla: Key pinning is ignored when overridable errors are encountered (MFSA 2015-67)↗2015-07-02

▶

💬Community

Bugzilla

CVE-2015-2741 Mozilla: Key pinning is ignored when overridable errors are encountered (MFSA 2015-67)↗2015-06-30

▶