CVE-2021-23969
Summary
| CVE | CVE-2021-23969 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-02-26 02:15:00 UTC |
| Updated | 2022-05-27 18:17:00 UTC |
| Description | As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | Mozilla | Firefox | All | All | All | All |
| Application | Mozilla | Firefox | All | All | All | All |
| Application | Mozilla | Firefox Esr | All | All | All | All |
| Application | Mozilla | Firefox Esr | All | All | All | All |
| Application | Mozilla | Thunderbird | All | All | All | All |
| Application | Mozilla | Thunderbird | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Mozilla Firefox: Multiple vulnerabilities (GLSA 202104-10) — Gentoo security | GENTOO | security.gentoo.org | |
| Debian -- Security Information -- DSA-4866-1 thunderbird | DEBIAN | www.debian.org | Third Party Advisory |
| Mozilla Thunderbird: Multiple vulnerabilities (GLSA 202104-09) — Gentoo security | GENTOO | security.gentoo.org | |
| Security Vulnerabilities fixed in Firefox 86 — Mozilla | MISC | www.mozilla.org | Release Notes, Vendor Advisory |
| Security Vulnerabilities fixed in Firefox ESR 78.8 — Mozilla | MISC | www.mozilla.org | Release Notes, Vendor Advisory |
| Security Vulnerabilities fixed in Thunderbird 78.8 — Mozilla | MISC | www.mozilla.org | Release Notes, Vendor Advisory |
| [SECURITY] [DLA 2578-1] thunderbird security update | MLIST | lists.debian.org | Mailing List, Third Party Advisory |
| Access Denied | MISC | bugzilla.mozilla.org | Issue Tracking, Permissions Required, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 180193 Debian Security Update for thunderbirdfirefox-esr (CVE-2021-23969)
- 198355 Ubuntu Security Notification for Thunderbird vulnerabilities (USN-4936-1)
- 296069 Oracle Solaris 11.4 Support Repository Update (SRU) 31.88.5 Missing (CPUJAN2021)
- 352250 Amazon Linux Security Advisory for thunderbird: ALAS2-2021-1618
- 375430 SeaMonkey Multiple Vulnerabilities
- 500941 Alpine Linux Security Update for firefox-esr
- 501555 Alpine Linux Security Update for firefox
- 502379 Alpine Linux Security Update for thunderbird
- 503846 Alpine Linux Security Update for firefox
- 630669 Mozilla Firefox for Android and iOS Multiple Vulnerabilities (MFSA2021-07)
- 710019 Gentoo Linux Mozilla Thunderbird Multiple Vulnerabilities (GLSA 202104-09)
- 710020 Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 202104-10)
- 750329 OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2021:0387-1)
- 750336 OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2021:0373-1)
- 940157 AlmaLinux Security Update for thunderbird (ALSA-2021:0657)
- 940358 AlmaLinux Security Update for firefox (ALSA-2021:0655)