Vulnerability CVE-2021-23953

Vulnerability Name:

CVE-2021-23953 (CCN-195641)

Assigned:

2021-01-26

Published:

2021-01-26

Updated:

2021-03-03

Summary:

If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.

CVSS v3 Severity:

4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

4.3 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
3.8 Low (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-noinfo
CWE-829

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2021-23953

Source: MISC
Type: Issue Tracking, Permissions Required, Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1683940

Source: XF
Type: UNKNOWN
firefox-cve202123953-info-disc(195641)

Source: CCN
Type: IBM Security Bulletin 6447467 (Application Performance Management)
Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23954) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 - 2020.2.0

Source: CCN
Type: IBM Security Bulletin 6454029 (Cloud Pak for Multicloud Management)
Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud Pak for Multicloud Management Monitoring

Source: CCN
Type: Mozilla Foundation Security Advisory 2021-03
Security Vulnerabilities fixed in Firefox 85

Source: CCN
Type: Mozilla Foundation Security Advisory 2021-04
Security Vulnerabilities fixed in Firefox ESR 78.7

Source: CCN
Type: Mozilla Foundation Security Advisory 2021-05
Security Vulnerabilities fixed in Thunderbird 78.7

Source: MISC
Type: Release Notes, Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-03/

Source: MISC
Type: Release Notes, Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-04/

Source: MISC
Type: Release Notes, Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-05/

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-23953

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version < 85.0)

OR cpe:/a:mozilla:firefox_esr:*:*:*:*:*:*:*:* (Version < 78.7)

OR cpe:/a:mozilla:thunderbird:*:*:*:*:*:*:*:* (Version < 78.7)

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mozilla:firefox_esr:78.6.0:*:*:*:*:*:*:*

AND

cpe:/a:ibm:application_performance_management:8.1.4:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7868	P	MozillaFirefox-102.11.0-150200.152.87.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:645	P	Security update for php7 (Moderate) (in QA)	2022-10-04
oval:org.opensuse.security:def:95329	P	Security update for python3 (Important)	2022-07-11
oval:org.opensuse.security:def:3546	P	libICE6-1.0.8-12.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3252	P	libsmi-0.4.8-18.55 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94788	P	ppc64-diag-2.7.7-150400.1.8 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94882	P	MozillaFirefox-91.8.0-150200.152.26.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95176	P	MozillaThunderbird-91.8.0-150200.8.65.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:111899	P	MozillaFirefox-92.0-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:111905	P	MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:99705	P	(Moderate)	2021-12-07
oval:org.opensuse.security:def:100014	P	(Important)	2021-11-11
oval:org.opensuse.security:def:1639	P	Security update for squid (Moderate)	2021-10-20
oval:org.opensuse.security:def:93106	P	(Important)	2021-10-15
oval:org.opensuse.security:def:105476	P	MozillaFirefox-92.0-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:105478	P	MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:101501	P	Security update for sssd (Important)	2021-09-03
oval:org.opensuse.security:def:93422	P	(Important)	2021-09-03
oval:org.opensuse.security:def:62728	P	MozillaFirefox-78.10.0-8.38.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101134	P	MozillaFirefox-78.10.0-8.38.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72447	P	MozillaFirefox-78.10.0-8.38.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:93259	P	(Moderate)	2021-07-20
oval:org.opensuse.security:def:99115	P	(Important)	2021-06-18
oval:org.opensuse.security:def:5781	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:102042	P	Security update for java-11-openjdk (Important)	2021-05-11
oval:org.opensuse.security:def:74300	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:97164	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:102986	P	Security update for MozillaThunderbird (Important)	2021-02-01
oval:org.opensuse.security:def:108167	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:10652	P	Security update for MozillaThunderbird (Important)	2021-02-01
oval:org.opensuse.security:def:110662	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:117681	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:4143	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:119792	P	Security update for MozillaThunderbird (Important)	2021-02-01
oval:org.opensuse.security:def:109652	P	Security update for MozillaThunderbird (Important)	2021-02-01
oval:org.opensuse.security:def:111201	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:97162	P	Security update for MozillaThunderbird (Important)	2021-02-01
oval:org.opensuse.security:def:96314	P	Security update for MozillaThunderbird (Important)	2021-02-01
oval:org.opensuse.security:def:70792	P	Security update for MozillaThunderbird (Important)	2021-02-01
oval:org.opensuse.security:def:65232	P	Security update for MozillaFirefox (Important)	2021-02-01
oval:org.opensuse.security:def:111199	P	Security update for MozillaThunderbird (Important)	2021-01-30
oval:org.opensuse.security:def:110661	P	Security update for MozillaThunderbird (Important)	2021-01-30
oval:org.opensuse.security:def:38654	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:92165	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:99913	P	Security update for MozillaThunderbird (Important)	2021-01-29
oval:org.opensuse.security:def:9557	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:69896	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:97578	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:60311	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:86119	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:31222	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:55834	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:81091	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:5078	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:23161	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:44374	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:92953	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:90613	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:99307	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:66491	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:88472	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:97159	P	Security update for MozillaThunderbird (Important)	2021-01-29
oval:org.opensuse.security:def:33686	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:58787	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:84179	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:126740	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:28923	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:51926	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:39944	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:75559	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:92357	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:9756	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:70447	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:98163	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:4069	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:86605	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:31655	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:57045	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:82130	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:23622	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:45584	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:108708	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:91198	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:99506	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:8809	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:66870	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:89164	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:97160	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:33944	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:59509	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:84638	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:127137	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:29399	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:54746	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:41154	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:75938	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:92556	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:104268	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:10307	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:70739	P	Security update for MozillaThunderbird (Important)	2021-01-29
oval:org.opensuse.security:def:98920	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:65158	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:87428	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:32141	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:57478	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:82606	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:23938	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:51149	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:74226	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:91970	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:9004	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:69697	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:89422	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:34488	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:59767	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:85686	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:30011	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:55222	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:21401	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:43084	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:92755	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:104853	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:10599	P	Security update for MozillaThunderbird (Important)	2021-01-29
oval:org.opensuse.security:def:5402	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:88158	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:32964	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:57964	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:83218	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:125571	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:26091	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:51610	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:com.redhat.rhsa:def:20210290	P	RHSA-2021:0290: firefox security update (Important)	2021-01-28
oval:com.redhat.rhsa:def:20210297	P	RHSA-2021:0297: thunderbird security update (Important)	2021-01-28
oval:com.redhat.rhsa:def:20210298	P	RHSA-2021:0298: thunderbird security update (Important)	2021-01-28
oval:com.redhat.rhsa:def:20210288	P	RHSA-2021:0288: firefox security update (Important)	2021-01-27

BACK