CVE-2021-23961 - OpenCVE

Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 85.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Mozilla	Firefox

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1677940	Issue Tracking Permissions Required Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00019.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00020.html	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202104-09	Third Party Advisory
https://security.gentoo.org/glsa/202104-10	Third Party Advisory
https://www.debian.org/security/2021/dsa-4895	Third Party Advisory
https://www.debian.org/security/2021/dsa-4897	Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2021-03/	Release Notes Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mozilla

Published: 2021-02-26T02:02:52

Updated: 2021-05-01T01:08:12

Reserved: 2021-01-13T00:00:00

Link: CVE-2021-23961

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-02-26T03:15:13.997

Modified: 2022-05-27T18:18:04.893

Link: CVE-2021-23961

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "affected", "version": "< 85"}]}], "descriptions": [{"lang": "en", "value": "Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 85."}], "problemTypes": [{"descriptions": [{"description": "More internal network hosts could have been probed by a malicious webpage", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-01T01:08:12", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-03/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1677940"}, {"name": "DSA-4895", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4895"}, {"name": "[debian-lts-announce] 20210422 [SECURITY] [DLA 2632-1] thunderbird security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00019.html"}, {"name": "DSA-4897", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4897"}, {"name": "[debian-lts-announce] 20210423 [SECURITY] [DLA 2633-1] firefox-esr security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00020.html"}, {"name": "GLSA-202104-10", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202104-10"}, {"name": "GLSA-202104-09", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202104-09"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2021-23961", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Firefox", "version": {"version_data": [{"version_value": "< 85"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 85."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "More internal network hosts could have been probed by a malicious webpage"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2021-03/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2021-03/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1677940", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1677940"}, {"name": "DSA-4895", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4895"}, {"name": "[debian-lts-announce] 20210422 [SECURITY] [DLA 2632-1] thunderbird security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00019.html"}, {"name": "DSA-4897", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4897"}, {"name": "[debian-lts-announce] 20210423 [SECURITY] [DLA 2633-1] firefox-esr security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00020.html"}, {"name": "GLSA-202104-10", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202104-10"}, {"name": "GLSA-202104-09", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202104-09"}]}}}}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2021-23961", "datePublished": "2021-02-26T02:02:52", "dateReserved": "2021-01-13T00:00:00", "dateUpdated": "2021-05-01T01:08:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "403EA47E-6B2D-4082-BFF2-E764C8356854", "versionEndExcluding": "85.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 85."}, {"lang": "es", "value": "Otras t\u00e9cnicas que se basaron en la investigaci\u00f3n de slipstream combinada con una p\u00e1gina web maliciosa podr\u00edan haber expuesto tanto los hosts de una red interna como los servicios que se ejecutan en la m\u00e1quina local del usuario. Esta vulnerabilidad afecta a Firefox versiones anteriores a 85"}], "id": "CVE-2021-23961", "lastModified": "2022-05-27T18:18:04.893", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-26T03:15:13.997", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1677940"}, {"source": "security@mozilla.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00019.html"}, {"source": "security@mozilla.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00020.html"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202104-09"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202104-10"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4895"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4897"}, {"source": "security@mozilla.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-03/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}