Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- Mozilla developers and community members reported memory safety bugs present in Firefox 86 and Firefox ESR
78.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.9,
Firefox < 87, and Thunderbird < 78.9. (CVE-2021-23987)
- If Content Security Policy blocked frame navigation, the full destination of a redirect served in the
frame was reported in the violation report; as opposed to the original frame URI. This could be used to
leak sensitive information contained in such URIs. This vulnerability affects Firefox < 86, Thunderbird <
78.8, and Firefox ESR < 78.8. (CVE-2021-23968)
- As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need
to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible,
user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types
of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was
fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird <
78.8, and Firefox ESR < 78.8. (CVE-2021-23969)
- When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted,
and the content of that error may have revealed information about the resource. This vulnerability affects
Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8. (CVE-2021-23973)
- Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and
Firefox ESR < 78.8. (CVE-2021-23978)
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Exploit Ease: No known exploits are available
Vulnerability Publication Date: 2/23/2021