Saturday, November 6, 2021

MFSA2021-48 Firefox: Security Vulnerabilities fixed in Firefox 94 (CVE-2021-38507)

rapid7 vulnerabilities In: , 
Description
The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80.  However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP.  This was resolved by disabling the Opportunistic Encryption feature, which had low usage.
Solution(s)
  • mozilla-firefox-upgrade-94_0


    • References
  • https://attackerkb.com/topics/cve-2021-38507
  • CVE - 2021-38507
  • http://www.mozilla.org/security/announce/2021/mfsa2021-48.html




    •  

    Copyright © 2021 Vulnerability Database | Cyber Details™

    thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore