Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

CVE-2021-38507 - log back

CVE-2021-38507 edited at 03 Nov 2021 16:45:07

Description

-

The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.

+

A security issue has been found in Firefox before version 94 and Thunderbird before version 91.3. The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.

References

	https://www.mozilla.org/security/advisories/mfsa2021-48/
+	https://www.mozilla.org/security/advisories/mfsa2021-50/
	https://bugzilla.mozilla.org/show_bug.cgi?id=1730935

CVE-2021-38507 created at 02 Nov 2021 13:16:47

Severity

+

High

Remote

+

Remote

Type

+	Same-origin policy bypass

Description

+

The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.

References

+	https://www.mozilla.org/security/advisories/mfsa2021-48/
+	https://bugzilla.mozilla.org/show_bug.cgi?id=1730935

Notes