CVE-2021-23969

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1542194

https://www.mozilla.org/security/advisories/mfsa2021-08/

https://www.mozilla.org/security/advisories/mfsa2021-09/

https://www.mozilla.org/security/advisories/mfsa2021-07/

https://lists.debian.org/debian-lts-announce/2021/03/msg00000.html

https://www.debian.org/security/2021/dsa-4866

https://security.gentoo.org/glsa/202104-09

https://security.gentoo.org/glsa/202104-10

Details

Source: MITRE

Published: 2021-02-26

Updated: 2021-05-01

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 4.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Impact Score: 1.4

Exploitability Score: 2.8

Severity: MEDIUM

Tenable Plugins

View all (39 total)

IDNameProductFamilySeverity
150571SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2021:14657-1)NessusSuSE Local Security Checks
high
149322Ubuntu 20.04 LTS / 20.10 : Thunderbird vulnerabilities (USN-4936-1)NessusUbuntu Local Security Checks
high
149233GLSA-202104-10 : Mozilla Firefox: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
149226GLSA-202104-09 : Mozilla Thunderbird: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
148973Scientific Linux Security Update : firefox on SL7.x i686/x86_64 (2021:0656)NessusScientific Linux Local Security Checks
high
148972Scientific Linux Security Update : thunderbird on SL7.x x86_64 (2021:0661)NessusScientific Linux Local Security Checks
high
147994Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : Firefox vulnerabilities (USN-4756-1)NessusUbuntu Local Security Checks
high
147908Amazon Linux 2 : thunderbird (ALAS-2021-1618)NessusAmazon Linux Local Security Checks
high
147173openSUSE Security Update : MozillaThunderbird (openSUSE-2021-387)NessusSuSE Local Security Checks
high
147157openSUSE Security Update : MozillaFirefox (openSUSE-2021-373)NessusSuSE Local Security Checks
high
146984SUSE SLES15 Security Update : MozillaFirefox (SUSE-SU-2021:0676-1)NessusSuSE Local Security Checks
high
146946SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2021:0659-1)NessusSuSE Local Security Checks
high
146945Debian DLA-2578-1 : thunderbird security updateNessusDebian Local Security Checks
high
146942Debian DSA-4866-1 : thunderbird - security updateNessusDebian Local Security Checks
high
146940SUSE SLES12 Security Update : MozillaFirefox (SUSE-SU-2021:0667-1)NessusSuSE Local Security Checks
high
146919Debian DLA-2575-1 : firefox-esr security updateNessusDebian Local Security Checks
high
146892Debian DSA-4862-1 : firefox-esr - security updateNessusDebian Local Security Checks
high
146882CentOS 7 : firefox (CESA-2021:0656)NessusCentOS Local Security Checks
high
146879CentOS 7 : thunderbird (CESA-2021:0661)NessusCentOS Local Security Checks
high
146872CentOS 8 : thunderbird (CESA-2021:0657)NessusCentOS Local Security Checks
high
146870CentOS 8 : firefox (CESA-2021:0655)NessusCentOS Local Security Checks
high
146868Oracle Linux 8 : SUMM: / thunderbird (ELSA-2021-0657)NessusOracle Linux Local Security Checks
high
146867Oracle Linux 7 : thunderbird (ELSA-2021-0661)NessusOracle Linux Local Security Checks
high
146866Oracle Linux 8 : SUMM: / firefox (ELSA-2021-0655)NessusOracle Linux Local Security Checks
high
146865Oracle Linux 7 : firefox (ELSA-2021-0656)NessusOracle Linux Local Security Checks
high
146822RHEL 8 : thunderbird (RHSA-2021:0662)NessusRed Hat Local Security Checks
high
146817RHEL 8 : firefox (RHSA-2021:0659)NessusRed Hat Local Security Checks
high
146816RHEL 7 : thunderbird (RHSA-2021:0661)NessusRed Hat Local Security Checks
high
146815RHEL 8 : thunderbird (RHSA-2021:0657)NessusRed Hat Local Security Checks
high
146813RHEL 7 : firefox (RHSA-2021:0656)NessusRed Hat Local Security Checks
high
146812RHEL 8 : thunderbird (RHSA-2021:0658)NessusRed Hat Local Security Checks
high
146811RHEL 8 : firefox (RHSA-2021:0660)NessusRed Hat Local Security Checks
high
146809RHEL 8 : firefox (RHSA-2021:0655)NessusRed Hat Local Security Checks
high
146784Mozilla Thunderbird < 78.8NessusMacOS X Local Security Checks
high
146783Mozilla Thunderbird < 78.8NessusWindows
high
146782Mozilla Firefox ESR < 78.8NessusMacOS X Local Security Checks
high
146781Mozilla Firefox ESR < 78.8NessusWindows
high
146780Mozilla Firefox < 86.0NessusWindows
high
146779Mozilla Firefox < 86.0NessusMacOS X Local Security Checks
high