Key pinning is ignored when overridable errors are encountered — Mozilla

2015-07-0200:00:00

Mozilla Foundation

www.mozilla.org

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.002

Percentile

57.5%

JSON

Mozilla security engineer David Keeler reported that when an overridable error is encountered, such as those for expired certificates or a host name does not match a certificate, pinning checks can be be skipped. This would allow for a user to override a pinned certificate when they should not be able to do so. This issue does not allow for third parties to cause a certificate to be overridden and the user would still have to manually do so.

Affected configurations

Vulners

Node

mozillafirefoxRange<39

mozillafirefox_esrRange<38.1

mozillaseamonkeyRange<2.35

mozillathunderbirdRange<38.1

VendorProductVersionCPE
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
mozillafirefox_esr*cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
mozillaseamonkey*cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
mozillathunderbird*cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	firefox	*	cpe:2.3:a:mozilla:firefox::::::::
mozilla	firefox_esr	*	cpe:2.3:a:mozilla:firefox_esr::::::::
mozilla	seamonkey	*	cpe:2.3:a:mozilla:seamonkey::::::::
mozilla	thunderbird	*	cpe:2.3:a:mozilla:thunderbird::::::::