Vulnerability CVE-2021-29987

Vulnerability Name:

CVE-2021-29987 (CCN-207141)

Assigned:

2021-08-10

Published:

2021-08-10

Updated:

2022-03-16

Summary:

After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to. *This bug only affects Firefox on Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 91 and Thunderbird < 91.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-307

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2021-29987

Source: MISC
Type: Issue Tracking, Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1716129

Source: XF
Type: UNKNOWN
firefox-cve202129987-sec-bypass(207141)

Source: GENTOO
Type: Third Party Advisory
GLSA-202202-03

Source: CCN
Type: Mozilla Foundation Security Advisory 2021-33
Security Vulnerabilities fixed in Firefox 91

Source: MISC
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-33/

Source: MISC
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-36/

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version < 91.0)

OR cpe:/a:mozilla:thunderbird:*:*:*:*:*:*:*:* (Version < 91.0)

AND

cpe:/o:linux:linux_kernel:-:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7868	P	MozillaFirefox-102.11.0-150200.152.87.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:51962	P	Security update for net-snmp (Moderate)	2022-12-13
oval:org.opensuse.security:def:95400	P	Security update for dovecot23 (Important)	2022-07-20
oval:org.opensuse.security:def:3252	P	libsmi-0.4.8-18.55 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94806	P	python3-py-1.8.1-5.6.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94882	P	MozillaFirefox-91.8.0-150200.152.26.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:126871	P	Security update for MozillaFirefox (Important)	2022-05-09
oval:org.opensuse.security:def:5234	P	Security update for MozillaFirefox (Important)	2022-05-09
oval:org.opensuse.security:def:6029	P	Security update for MozillaFirefox (Important)	2022-05-09
oval:org.opensuse.security:def:125705	P	Security update for MozillaFirefox (Important)	2022-05-09
oval:org.opensuse.security:def:127268	P	Security update for MozillaFirefox (Important)	2022-05-09
oval:org.opensuse.security:def:100056	P	(Important)	2022-03-30
oval:org.opensuse.security:def:6202	P	Security update for bind (Important)	2022-03-21
oval:org.opensuse.security:def:6193	P	Security update for MozillaFirefox (Important)	2022-03-14
oval:org.opensuse.security:def:99745	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:111899	P	MozillaFirefox-92.0-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:111187	P	Security update for MozillaThunderbird (Important)	2021-12-29
oval:org.opensuse.security:def:103004	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:119810	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:1792	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:10707	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:70810	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:109670	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:6276	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:111845	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:70847	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:102344	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:67365	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:96332	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:76433	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:10670	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:99152	P	(Moderate)	2021-10-20
oval:org.opensuse.security:def:41166	P	Security update for MozillaFirefox, rust-cbindgen (Important)	2021-10-18
oval:org.opensuse.security:def:111089	P	Security update for MozillaFirefox (Important)	2021-10-18
oval:org.opensuse.security:def:43099	P	Security update for MozillaFirefox, rust-cbindgen (Important)	2021-10-18
oval:org.opensuse.security:def:39960	P	Security update for MozillaFirefox, rust-cbindgen (Important)	2021-10-18
oval:org.opensuse.security:def:45596	P	Security update for MozillaFirefox, rust-cbindgen (Important)	2021-10-18
oval:org.opensuse.security:def:38669	P	Security update for MozillaFirefox, rust-cbindgen (Important)	2021-10-18
oval:org.opensuse.security:def:44390	P	Security update for MozillaFirefox, rust-cbindgen (Important)	2021-10-18
oval:org.opensuse.security:def:65250	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:111749	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:4226	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:101730	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:67291	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:74318	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:101519	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:65315	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:76359	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:74383	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:108185	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:117699	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:1039	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:4161	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:76009	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:70487	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:108779	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:9796	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:67282	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:105647	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:92202	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:69737	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:106435	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:9041	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:76350	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:10160	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:99347	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:105842	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:92397	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:69936	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:106722	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:9406	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:5852	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:10347	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:99546	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:106037	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:8659	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:92596	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:70300	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:102113	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:9597	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:66941	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:98957	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:92007	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:69546	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:106236	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:8846	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:111740	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:92795	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:105476	P	MozillaFirefox-92.0-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:43092	P	Security update for MozillaFirefox (Important)	2021-10-01
oval:org.opensuse.security:def:39952	P	Security update for MozillaFirefox (Important)	2021-10-01
oval:org.opensuse.security:def:45591	P	Security update for MozillaFirefox (Important)	2021-10-01
oval:org.opensuse.security:def:38662	P	Security update for MozillaFirefox (Important)	2021-10-01
oval:org.opensuse.security:def:44382	P	Security update for MozillaFirefox (Important)	2021-10-01
oval:org.opensuse.security:def:41161	P	Security update for MozillaFirefox (Important)	2021-10-01
oval:org.opensuse.security:def:58832	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:86650	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:33720	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:82632	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:29425	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:89198	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:57093	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:84670	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:31684	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:23672	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:59543	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:87473	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:33978	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:55248	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:83336	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:125607	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:30129	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:89456	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:57507	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:85734	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:127171	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:32186	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:23974	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:59801	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:88194	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:34544	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:55952	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:83456	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:30249	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:58009	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:86148	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:33009	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:51660	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:26132	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:60367	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:88510	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:56072	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:84212	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:126774	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:31270	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:5119	P	Security update for MozillaFirefox (Important)	2021-09-22

BACK