{"containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "affected", "version": "< 85"}]}], "descriptions": [{"lang": "en", "value": "Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 85."}], "problemTypes": [{"descriptions": [{"description": "More internal network hosts could have been probed by a malicious webpage", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-01T01:08:12", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-03/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1677940"}, {"name": "DSA-4895", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4895"}, {"name": "[debian-lts-announce] 20210422 [SECURITY] [DLA 2632-1] thunderbird security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00019.html"}, {"name": "DSA-4897", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4897"}, {"name": "[debian-lts-announce] 20210423 [SECURITY] [DLA 2633-1] firefox-esr security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00020.html"}, {"name": "GLSA-202104-10", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202104-10"}, {"name": "GLSA-202104-09", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202104-09"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2021-23961", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Firefox", "version": {"version_data": [{"version_value": "< 85"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 85."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "More internal network hosts could have been probed by a malicious webpage"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2021-03/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2021-03/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1677940", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1677940"}, {"name": "DSA-4895", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4895"}, {"name": "[debian-lts-announce] 20210422 [SECURITY] [DLA 2632-1] thunderbird security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00019.html"}, {"name": "DSA-4897", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4897"}, {"name": "[debian-lts-announce] 20210423 [SECURITY] [DLA 2633-1] firefox-esr security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00020.html"}, {"name": "GLSA-202104-10", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202104-10"}, {"name": "GLSA-202104-09", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202104-09"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:14:09.837Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-03/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1677940"}, {"name": "DSA-4895", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4895"}, {"name": "[debian-lts-announce] 20210422 [SECURITY] [DLA 2632-1] thunderbird security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00019.html"}, {"name": "DSA-4897", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4897"}, {"name": "[debian-lts-announce] 20210423 [SECURITY] [DLA 2633-1] firefox-esr security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00020.html"}, {"name": "GLSA-202104-10", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202104-10"}, {"name": "GLSA-202104-09", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202104-09"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2021-23961", "datePublished": "2021-02-26T02:02:52", "dateReserved": "2021-01-13T00:00:00", "dateUpdated": "2024-08-03T19:14:09.837Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "403EA47E-6B2D-4082-BFF2-E764C8356854", "versionEndExcluding": "85.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 85."}, {"lang": "es", "value": "Otras t\u00e9cnicas que se basaron en la investigaci\u00f3n de slipstream combinada con una p\u00e1gina web maliciosa podr\u00edan haber expuesto tanto los hosts de una red interna como los servicios que se ejecutan en la m\u00e1quina local del usuario.&#xa0;Esta vulnerabilidad afecta a Firefox versiones anteriores a 85"}], "id": "CVE-2021-23961", "lastModified": "2022-05-27T18:18:04.893", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-26T03:15:13.997", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1677940"}, {"source": "security@mozilla.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00019.html"}, {"source": "security@mozilla.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00020.html"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202104-09"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202104-10"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4895"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4897"}, {"source": "security@mozilla.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-03/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Ben Seri, Gregory Vishnepolsky, and Samy Kamkar as the original reporters.", "affected_release": [{"advisory": "RHSA-2021:1350", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:78.10.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2021-04-26T00:00:00Z"}, {"advisory": "RHSA-2021:1363", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "firefox-0:78.10.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2021-04-26T00:00:00Z"}, {"advisory": "RHSA-2021:1353", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:78.10.0-1.el8_3", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-04-26T00:00:00Z"}, {"advisory": "RHSA-2021:1360", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:78.10.0-1.el8_3", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-04-26T00:00:00Z"}, {"advisory": "RHSA-2021:1351", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "thunderbird-0:78.10.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2021-04-26T00:00:00Z"}, {"advisory": "RHSA-2021:1362", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "firefox-0:78.10.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2021-04-26T00:00:00Z"}, {"advisory": "RHSA-2021:1352", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "thunderbird-0:78.10.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2021-04-26T00:00:00Z"}, {"advisory": "RHSA-2021:1361", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "firefox-0:78.10.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2021-04-26T00:00:00Z"}], "bugzilla": {"description": "Mozilla: More internal network hosts could have been probed by a malicious webpage", "id": "1951367", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1951367"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 85."], "name": "CVE-2021-23961", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2021-04-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-23961\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23961\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2021-15/#CVE-2021-23961"], "threat_severity": "Moderate", "upstream_fix": "thunderbird 78.10, firefox 78.10"}