CVE-2021-23971 - OpenCVE

When processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's Referrer-Policy. This would have potentially resulted in more information than intended by the original origin being provided to the destination of the redirect. This vulnerability affects Firefox < 86.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mozilla	Firefox

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1678545	Issue Tracking Permissions Required Vendor Advisory
https://security.gentoo.org/glsa/202104-10	Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2021-07/	Release Notes Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mozilla

Published: 2021-02-26T01:55:29

Updated: 2021-05-01T01:06:43

Reserved: 2021-01-13T00:00:00

Link: CVE-2021-23971

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-02-26T02:15:13.103

Modified: 2022-05-27T18:04:16.660

Link: CVE-2021-23971

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "affected", "version": "< 86"}]}], "descriptions": [{"lang": "en", "value": "When processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's Referrer-Policy. This would have potentially resulted in more information than intended by the original origin being provided to the destination of the redirect. This vulnerability affects Firefox < 86."}], "problemTypes": [{"descriptions": [{"description": "A website's Referrer-Policy could have been be overridden, potentially resulting in the full URL being sent as a Referrer", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-01T01:06:43", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-07/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1678545"}, {"name": "GLSA-202104-10", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202104-10"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2021-23971", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Firefox", "version": {"version_data": [{"version_value": "< 86"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's Referrer-Policy. This would have potentially resulted in more information than intended by the original origin being provided to the destination of the redirect. This vulnerability affects Firefox < 86."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "A website's Referrer-Policy could have been be overridden, potentially resulting in the full URL being sent as a Referrer"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2021-07/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2021-07/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1678545", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1678545"}, {"name": "GLSA-202104-10", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202104-10"}]}}}}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2021-23971", "datePublished": "2021-02-26T01:55:29", "dateReserved": "2021-01-13T00:00:00", "dateUpdated": "2021-05-01T01:06:43", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "89580DC6-183F-46F0-A27E-4E16D6B10EB6", "versionEndExcluding": "86.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "When processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's Referrer-Policy. This would have potentially resulted in more information than intended by the original origin being provided to the destination of the redirect. This vulnerability affects Firefox < 86."}, {"lang": "es", "value": "Cuando se procesa un redireccionamiento con una Pol\u00edtica de Referencia en conflicto, Firefox habr\u00eda adoptado la Pol\u00edtica de Referencia de redireccionamiento. Esto podr\u00eda haber conllevado a que se proporcionara m\u00e1s informaci\u00f3n de la que pretend\u00eda mediante la fuente original hacia el destino del redireccionamiento. Esta vulnerabilidad afecta a Firefox versiones anteriores a 86"}], "id": "CVE-2021-23971", "lastModified": "2022-05-27T18:04:16.660", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-26T02:15:13.103", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1678545"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202104-10"}, {"source": "security@mozilla.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-07/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}