CVE-2021-23969 — MEDIUM (4.3)

Q: How severe is CVE-2021-23969?

CVE-2021-23969 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-23969?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Firefox Esr, Mozilla Thunderbird, Debian Debian Linux.

Vulnerability Description

As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Mozilla	Firefox	< 86.0
Mozilla	Firefox Esr	< 78.8
Mozilla	Thunderbird	< 78.8
Debian	Debian Linux	9.0

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1542194Issue TrackingPermissions RequiredVendor Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00000.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202104-09Third Party Advisory
https://security.gentoo.org/glsa/202104-10Third Party Advisory
https://www.debian.org/security/2021/dsa-4866Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2021-07/Release NotesVendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-08/Release NotesVendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-09/Release NotesVendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1542194Issue TrackingPermissions RequiredVendor Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00000.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202104-09Third Party Advisory
https://security.gentoo.org/glsa/202104-10Third Party Advisory
https://www.debian.org/security/2021/dsa-4866Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2021-07/Release NotesVendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-08/Release NotesVendor Advisory

FAQ

What is CVE-2021-23969?

CVE-2021-23969 is a vulnerability with a CVSS score of 4.3 (MEDIUM). As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not...

How severe is CVE-2021-23969?

CVE-2021-23969 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-23969?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Firefox Esr, Mozilla Thunderbird, Debian Debian Linux.