{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1289?format=json","vulnerability_id":"VCID-473a-9b6z-bufs","summary":"The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80.  However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP.  This was resolved by disabling the Opportunistic Encryption feature, which had low usage.","aliases":[{"alias":"CVE-2021-38507"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/2182?format=json","purl":"pkg:alpm/archlinux/firefox@94.0-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/firefox@94.0-1"},{"url":"http://public2.vulnerablecode.io/api/packages/2179?format=json","purl":"pkg:alpm/archlinux/thunderbird@91.3.0-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/thunderbird@91.3.0-1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/2181?format=json","purl":"pkg:alpm/archlinux/firefox@93.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-473a-9b6z-bufs"},{"vulnerability":"VCID-54pu-nmum-guhs"},{"vulnerability":"VCID-7s6p-8cx2-bybs"},{"vulnerability":"VCID-bnuz-8g1t-ybc2"},{"vulnerability":"VCID-bsrv-bkzk-pfhh"},{"vulnerability":"VCID-d78u-x2t8-vkfg"},{"vulnerability":"VCID-unnb-hcmb-tqep"},{"vulnerability":"VCID-w3cg-uv84-q3g5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/firefox@93.0-1"},{"url":"http://public2.vulnerablecode.io/api/packages/2178?format=json","purl":"pkg:alpm/archlinux/thunderbird@91.2.1-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-473a-9b6z-bufs"},{"vulnerability":"VCID-54pu-nmum-guhs"},{"vulnerability":"VCID-7s6p-8cx2-bybs"},{"vulnerability":"VCID-bnuz-8g1t-ybc2"},{"vulnerability":"VCID-bsrv-bkzk-pfhh"},{"vulnerability":"VCID-d78u-x2t8-vkfg"},{"vulnerability":"VCID-unnb-hcmb-tqep"},{"vulnerability":"VCID-w3cg-uv84-q3g5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/thunderbird@91.2.1-1"}],"references":[{"reference_url":"https://security.archlinux.org/ASA-202111-2","reference_id":"ASA-202111-2","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202111-2"},{"reference_url":"https://security.archlinux.org/ASA-202111-3","reference_id":"ASA-202111-3","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202111-3"},{"reference_url":"https://security.archlinux.org/AVG-2511","reference_id":"AVG-2511","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2511"},{"reference_url":"https://security.archlinux.org/AVG-2518","reference_id":"AVG-2518","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2518"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2021-48","reference_id":"mfsa2021-48","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2021-48"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2021-49","reference_id":"mfsa2021-49","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2021-49"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2021-50","reference_id":"mfsa2021-50","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2021-50"}],"weaknesses":[],"exploits":[],"severity_range_score":"7.0 - 8.9","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-473a-9b6z-bufs"}