{"api_version":"1","generated_at":"2026-05-13T03:12:03+00:00","cve":"CVE-2021-23969","urls":{"html":"https://cve.report/CVE-2021-23969","api":"https://cve.report/api/cve/CVE-2021-23969.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-23969","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-23969"},"summary":{"title":"CVE-2021-23969","description":"As specified in the W3C Content Security Policy draft, when creating a violation report, \"User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage.\" Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2021-02-26 02:15:00","updated_at":"2022-05-27 18:17:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202104-10","name":"GLSA-202104-10","refsource":"GENTOO","tags":[],"title":"Mozilla Firefox: Multiple vulnerabilities (GLSA 202104-10) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2021/dsa-4866","name":"DSA-4866","refsource":"DEBIAN","tags":["Third Party Advisory"],"title":"Debian -- Security Information -- DSA-4866-1 thunderbird","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202104-09","name":"GLSA-202104-09","refsource":"GENTOO","tags":[],"title":"Mozilla Thunderbird: Multiple vulnerabilities (GLSA 202104-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-07/","name":"https://www.mozilla.org/security/advisories/mfsa2021-07/","refsource":"MISC","tags":["Release Notes","Vendor Advisory"],"title":"Security Vulnerabilities fixed in Firefox 86 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-08/","name":"https://www.mozilla.org/security/advisories/mfsa2021-08/","refsource":"MISC","tags":["Release Notes","Vendor Advisory"],"title":"Security Vulnerabilities fixed in Firefox ESR 78.8 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-09/","name":"https://www.mozilla.org/security/advisories/mfsa2021-09/","refsource":"MISC","tags":["Release Notes","Vendor Advisory"],"title":"Security Vulnerabilities fixed in Thunderbird 78.8 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00000.html","name":"[debian-lts-announce] 20210301 [SECURITY] [DLA 2578-1] thunderbird security update","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] [DLA 2578-1] thunderbird security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1542194","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1542194","refsource":"MISC","tags":["Issue Tracking","Permissions Required","Vendor Advisory"],"title":"Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-23969","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23969","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"23969","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23969","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23969","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23969","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23969","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23969","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23969","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23969","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23969","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23969","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-23969","qid":"180193","title":"Debian Security Update for thunderbirdfirefox-esr (CVE-2021-23969)"},{"cve":"CVE-2021-23969","qid":"198355","title":"Ubuntu Security Notification for Thunderbird vulnerabilities (USN-4936-1)"},{"cve":"CVE-2021-23969","qid":"296069","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 31.88.5 Missing (CPUJAN2021)"},{"cve":"CVE-2021-23969","qid":"352250","title":"Amazon Linux Security Advisory for thunderbird: ALAS2-2021-1618"},{"cve":"CVE-2021-23969","qid":"375430","title":"SeaMonkey Multiple Vulnerabilities"},{"cve":"CVE-2021-23969","qid":"500941","title":"Alpine Linux Security Update for firefox-esr"},{"cve":"CVE-2021-23969","qid":"501555","title":"Alpine Linux Security Update for firefox"},{"cve":"CVE-2021-23969","qid":"502379","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-23969","qid":"503846","title":"Alpine Linux Security Update for firefox"},{"cve":"CVE-2021-23969","qid":"630669","title":"Mozilla Firefox for Android and iOS Multiple Vulnerabilities (MFSA2021-07)"},{"cve":"CVE-2021-23969","qid":"710019","title":"Gentoo Linux Mozilla Thunderbird Multiple Vulnerabilities (GLSA 202104-09)"},{"cve":"CVE-2021-23969","qid":"710020","title":"Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 202104-10)"},{"cve":"CVE-2021-23969","qid":"750329","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2021:0387-1)"},{"cve":"CVE-2021-23969","qid":"750336","title":"OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2021:0373-1)"},{"cve":"CVE-2021-23969","qid":"940157","title":"AlmaLinux Security Update for thunderbird (ALSA-2021:0657)"},{"cve":"CVE-2021-23969","qid":"940358","title":"AlmaLinux Security Update for firefox (ALSA-2021:0655)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-23969","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Firefox","version":{"version_data":[{"version_value":"< 86"}]}},{"product_name":"Thunderbird","version":{"version_data":[{"version_value":"< 78.8"}]}},{"product_name":"Firefox ESR","version":{"version_data":[{"version_value":"< 78.8"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Content Security Policy violation report could have contained the destination of a redirect"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2021-07/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-07/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-09/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-09/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-08/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-08/"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1542194","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1542194"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210301 [SECURITY] [DLA 2578-1] thunderbird security update","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00000.html"},{"refsource":"DEBIAN","name":"DSA-4866","url":"https://www.debian.org/security/2021/dsa-4866"},{"refsource":"GENTOO","name":"GLSA-202104-10","url":"https://security.gentoo.org/glsa/202104-10"},{"refsource":"GENTOO","name":"GLSA-202104-09","url":"https://security.gentoo.org/glsa/202104-09"}]},"description":{"description_data":[{"lang":"eng","value":"As specified in the W3C Content Security Policy draft, when creating a violation report, \"User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage.\" Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8."}]}},"nvd":{"publishedDate":"2021-02-26 02:15:00","lastModifiedDate":"2022-05-27 18:17:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"86.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionEndExcluding":"78.8","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"78.8","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"23969","Ordinal":"198725","Title":"CVE-2021-23969","CVE":"CVE-2021-23969","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"23969","Ordinal":"1","NoteData":"As specified in the W3C Content Security Policy draft, when creating a violation report, \"User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage.\" Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"23969","Ordinal":"2","NoteData":"2021-02-25","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"23969","Ordinal":"3","NoteData":"2021-04-30","Type":"Other","Title":"Modified"}]}}}