Vulnerability CVE-2021-38497

Vulnerability Name:

CVE-2021-38497 (CCN-210695)

Assigned:

2021-10-05

Published:

2021-10-05

Updated:

2021-11-04

Summary:

Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

6.5 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-346
CWE-1021

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2021-38497

Source: MISC
Type: Permissions Required, Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1726621

Source: XF
Type: UNKNOWN
firefox-cve202138497-spoofing(210695)

Source: CCN
Type: IBM Security Bulletin 6578563 (Application Performance Management)
Multiple vulnerabilities of Mozilla Firefox (less than Firefox 91.8.0ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 - 2022.4.0

Source: CCN
Type: Mozilla Foundation Security Advisory 2021-43
Security Vulnerabilities fixed in Firefox 93

Source: CCN
Type: Mozilla Foundation Security Advisory 2021-45
Security Vulnerabilities fixed in Firefox ESR 91.2

Source: MISC
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-43/

Source: MISC
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-45/

Source: MISC
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-47/

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version < 93.0)

OR cpe:/a:mozilla:firefox_esr:*:*:*:*:*:*:*:* (Version < 91.2)

OR cpe:/a:mozilla:thunderbird:*:*:*:*:*:*:*:* (Version < 91.2)

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mozilla:firefox_esr:91.1:*:*:*:*:*:*:*

AND

cpe:/a:ibm:application_performance_management:8.1.4:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:95400	P	Security update for dovecot23 (Important)	2022-07-20
oval:org.opensuse.security:def:3546	P	MozillaThunderbird-91.8.0-150200.8.65.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94882	P	MozillaFirefox-91.8.0-150200.152.26.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94806	P	python3-py-1.8.1-5.6.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95176	P	MozillaThunderbird-91.8.0-150200.8.65.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:3252	P	MozillaFirefox-91.8.0-150200.152.26.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:100056	P	(Important)	2022-03-30
oval:org.opensuse.security:def:99745	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:111900	P	MozillaFirefox-93.0-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:111906	P	MozillaThunderbird-91.2.0-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:111187	P	Security update for MozillaThunderbird (Important)	2021-12-29
oval:org.opensuse.security:def:70847	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:102344	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:67365	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:76433	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:10670	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:96332	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:111845	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:109670	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:10707	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:103004	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:1792	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:6276	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:70810	P	Security update for MozillaThunderbird (Important)	2021-12-22
oval:org.opensuse.security:def:99152	P	(Moderate)	2021-10-20
oval:org.opensuse.security:def:39960	P	Security update for MozillaFirefox, rust-cbindgen (Important)	2021-10-18
oval:org.opensuse.security:def:111089	P	Security update for MozillaFirefox (Important)	2021-10-18
oval:org.opensuse.security:def:41166	P	Security update for MozillaFirefox, rust-cbindgen (Important)	2021-10-18
oval:org.opensuse.security:def:43099	P	Security update for MozillaFirefox, rust-cbindgen (Important)	2021-10-18
oval:org.opensuse.security:def:44390	P	Security update for MozillaFirefox, rust-cbindgen (Important)	2021-10-18
oval:org.opensuse.security:def:38669	P	Security update for MozillaFirefox, rust-cbindgen (Important)	2021-10-18
oval:org.opensuse.security:def:45596	P	Security update for MozillaFirefox, rust-cbindgen (Important)	2021-10-18
oval:org.opensuse.security:def:74383	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:111749	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:4161	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:1039	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:6202	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:4226	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:65250	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:74318	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:101730	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:67291	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:76359	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:108185	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:101519	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:65315	P	Security update for MozillaFirefox (Important)	2021-10-16
oval:org.opensuse.security:def:59810	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:88205	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:33023	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:55960	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:83464	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:26147	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:58024	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:86157	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:31285	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:51675	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:60387	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:88522	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:33729	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:56080	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:84222	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:29435	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:58846	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:86665	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:31693	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:51971	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:82642	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:23687	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:89207	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:33987	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:57108	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:84681	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:30137	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:59552	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:87487	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:32201	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:55258	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:83344	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:23983	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:89465	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:34564	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:57516	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:85749	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:30257	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:com.redhat.rhsa:def:20213838	P	RHSA-2021:3838: thunderbird security update (Important)	2021-10-13
oval:com.redhat.rhsa:def:20213841	P	RHSA-2021:3841: thunderbird security update (Important)	2021-10-13
oval:com.redhat.rhsa:def:20213791	P	RHSA-2021:3791: firefox security update (Important)	2021-10-12
oval:org.opensuse.security:def:106236	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:9597	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:99546	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:6193	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:com.redhat.rhsa:def:20213755	P	RHSA-2021:3755: firefox security update (Important)	2021-10-11
oval:org.opensuse.security:def:92596	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:108779	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:70300	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:102113	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:105647	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:8846	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:66941	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:98957	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:76009	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:92007	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:106435	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:9796	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:69546	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:92795	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:70487	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:105842	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:9041	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:67282	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:76350	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:92202	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:106722	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:10160	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:69737	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:106037	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:9406	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:99347	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:111740	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:5852	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:92397	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:10347	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:69936	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:8659	P	Security update for MozillaFirefox (Important)	2021-10-11

BACK