When Web Render components were destructed, a race condition could have caused undefined behavior, and we presume that with enough effort may have been exploitable to run arbitrary code. This vulnerability affects Firefox < 88.0.1 and Firefox for Android < 88.1.3.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - When Web Render components were destructed, a race condition could have caused undefined behavior, and we     presume that with enough effort may have been exploitable to run arbitrary code. This vulnerability     affects Firefox < 88.0.1 and Firefox for Android < 88.1.3. (CVE-2021-29952)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-4942-1 advisory.

    A race condition was discovered in Web Render Components. If a user were tricked into opening a specially     crafted website, an attacker could potentially exploit this to execute arbitrary code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Firefox installed on the remote macOS or Mac OS X host is prior to 88.0.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2021-20 advisory.

  - A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled     JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting     vulnerability.Note: This issue only affected Firefox for Android. Other operating systems are     unaffected. Further details are being temporarily withheld to allow users an opportunity to update.
    (CVE-2021-29953)

  - When Web Render components were destructed, a race condition could have caused undefined behavior, and we     presume that with enough effort may have been exploitable to run arbitrary code. (CVE-2021-29952)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Firefox installed on the remote Windows host is prior to 88.0.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2021-20 advisory.

  - A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled     JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting     vulnerability.Note: This issue only affected Firefox for Android. Other operating systems are     unaffected. Further details are being temporarily withheld to allow users an opportunity to update.
    (CVE-2021-29953)

  - When Web Render components were destructed, a race condition could have caused undefined behavior, and we     presume that with enough effort may have been exploitable to run arbitrary code. (CVE-2021-29952)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
248515	Linux Distros Unpatched Vulnerability : CVE-2021-29952	Nessus	Misc.	high
149409	Ubuntu 18.04 LTS / 20.04 LTS : Firefox vulnerability (USN-4942-1)	Nessus	Ubuntu Local Security Checks	high
149282	Mozilla Firefox < 88.0.1	Nessus	MacOS X Local Security Checks	high
149281	Mozilla Firefox < 88.0.1	Nessus	Windows	high

Detections

Analytics

CVE-2021-29952

high

Tenable Plugins

high

high

high

high