{"api_version":"1","generated_at":"2026-04-23T00:40:50+00:00","cve":"CVE-2021-29951","urls":{"html":"https://cve.report/CVE-2021-29951","api":"https://cve.report/api/cve/CVE-2021-29951.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-29951","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-29951"},"summary":{"title":"CVE-2021-29951","description":"The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating (if an attacker spammed the 'Stop' command); but also exposed attack surface in the maintenance service. *Note: This issue only affected Windows operating systems older than Win 10 build 1709. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 78.10.1, Firefox < 87, and Firefox ESR < 78.10.1.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2021-06-24 14:15:00","updated_at":"2022-07-12 17:42:00"},"problem_types":["CWE-269"],"metrics":[],"references":[{"url":"https://www.mozilla.org/security/advisories/mfsa2021-18/","name":"https://www.mozilla.org/security/advisories/mfsa2021-18/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Firefox ESR 78.10.1 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-19/","name":"https://www.mozilla.org/security/advisories/mfsa2021-19/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Thunderbird 78.10.1 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1690062","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1690062","refsource":"MISC","tags":[],"title":"Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-10/","name":"https://www.mozilla.org/security/advisories/mfsa2021-10/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Firefox 87 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-29951","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29951","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"29951","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"29951","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"29951","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"29951","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-29951","qid":"296053","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 35.94.4 Missing (CPUJUL2021)"},{"cve":"CVE-2021-29951","qid":"375529","title":"Mozilla Thunderbird Security Restriction Bypass Vulnerability (MFSA2021-19)"},{"cve":"CVE-2021-29951","qid":"375531","title":"Mozilla Firefox ESR Security Restriction Bypass Vulnerability (MFSA2021-18)"},{"cve":"CVE-2021-29951","qid":"502381","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-29951","qid":"503632","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-29951","qid":"503634","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-29951","qid":"503650","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-29951","qid":"503669","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-29951","qid":"506260","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-29951","qid":"750119","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:1884-1)"},{"cve":"CVE-2021-29951","qid":"750123","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:1886-1)"},{"cve":"CVE-2021-29951","qid":"750141","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:1919-1)"},{"cve":"CVE-2021-29951","qid":"750166","title":"OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2021:0858-1)"},{"cve":"CVE-2021-29951","qid":"750810","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2021:1854-1)"},{"cve":"CVE-2021-29951","qid":"750823","title":"OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2021:1884-1)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-29951","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Thunderbird","version":{"version_data":[{"version_value":"78.10.1","version_affected":"<"}]}},{"product_name":"Firefox","version":{"version_data":[{"version_value":"87","version_affected":"<"}]}},{"product_name":"Firefox ESR","version":{"version_data":[{"version_value":"78.10.1","version_affected":"<"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Mozilla Maintenance Service could have been started or stopped by domain users"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2021-10/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-10/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-18/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-18/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-19/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-19/"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1690062","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1690062"}]},"description":{"description_data":[{"lang":"eng","value":"The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating (if an attacker spammed the 'Stop' command); but also exposed attack surface in the maintenance service. *Note: This issue only affected Windows operating systems older than Win 10 build 1709. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 78.10.1, Firefox < 87, and Firefox ESR < 78.10.1."}]}},"nvd":{"publishedDate":"2021-06-24 14:15:00","lastModifiedDate":"2022-07-12 17:42:00","problem_types":["CWE-269"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":2.5},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":6.4},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"87.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionEndExcluding":"78.10.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"78.10.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"29951","Ordinal":"205182","Title":"CVE-2021-29951","CVE":"CVE-2021-29951","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"29951","Ordinal":"1","NoteData":"The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating (if an attacker spammed the 'Stop' command); but also exposed attack surface in the maintenance service. *Note: This issue only affected Windows operating systems older than Win 10 build 1709. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 78.10.1, Firefox < 87, and Firefox ESR < 78.10.1.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"29951","Ordinal":"2","NoteData":"2021-06-24","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"29951","Ordinal":"3","NoteData":"2021-06-24","Type":"Other","Title":"Modified"}]}}}