CVE-2021-29951 — MEDIUM (6.5)

Q: How severe is CVE-2021-29951?

CVE-2021-29951 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-29951?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Firefox Esr, Mozilla Thunderbird, Microsoft Windows.

Vulnerability Description

The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating (if an attacker spammed the 'Stop' command); but also exposed attack surface in the maintenance service. *Note: This issue only affected Windows operating systems older than Win 10 build 1709. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 78.10.1, Firefox < 87, and Firefox ESR < 78.10.1.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Mozilla	Firefox	< 87.0
Mozilla	Firefox Esr	< 78.10.1
Mozilla	Thunderbird	< 78.10.1
Microsoft	Windows	-

Related Weaknesses (CWE)

CWE-269

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1690062Issue TrackingVendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-10/Release NotesVendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-18/Release NotesVendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-19/Release NotesVendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1690062Issue TrackingVendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-10/Release NotesVendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-18/Release NotesVendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-19/Release NotesVendor Advisory

FAQ

What is CVE-2021-29951?

CVE-2021-29951 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent ...

How severe is CVE-2021-29951?

CVE-2021-29951 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-29951?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Firefox Esr, Mozilla Thunderbird, Microsoft Windows.