Lucene search

K
cnvdChina National Vulnerability DatabaseCNVD-2021-101167
HistoryNov 04, 2021 - 12:00 a.m.

Mozilla Firefox Access Control Error Vulnerability (CNVD-2021-101167)

2021-11-0400:00:00
China National Vulnerability Database
www.cnvd.org.cn
19
mozilla firefox
http2
tls
access control
vulnerability

EPSS

0.007

Percentile

80.8%

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the U.S. An access control error vulnerability exists in Mozilla Firefox, which stems from the opportunity encryption feature of HTTP2 (RFC 8164) that allows connections to be transparently upgraded to TLS while retaining visual properties of HTTP connections, including visual properties of connections on port 80 with Unencrypted connections are homologated. Identical IP addresses (e.g., port 8443) fail to opt-in to Opportunity Encryption; a network attacker could forward a browser’s connection to port 443 to port 8443, causing the browser to treat the contents of port 8443 as homologous with HTTP. This is addressed by disabling the lesser-used Opportunity Encryption feature. No detailed vulnerability details are currently available.