CVE-2021-29965 - OpenCVE

A malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that triggered the dialog. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mozilla	Firefox

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*

No data.

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1709257
https://www.mozilla.org/security/advisories/mfsa2021-23/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2021-06-24T13:14:52

Updated: 2024-08-03T22:24:57.499Z

Reserved: 2021-04-01T00:00:00

Link: CVE-2021-29965

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-06-24T14:15:10.363

Modified: 2021-06-30T20:39:03.257

Link: CVE-2021-29965

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "89", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that triggered the dialog. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89."}], "problemTypes": [{"descriptions": [{"description": "Password Manager on Firefox for Android susceptible to domain spoofing", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-06-24T13:14:52", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-23/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1709257"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2021-29965", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Firefox", "version": {"version_data": [{"version_affected": "<", "version_value": "89"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that triggered the dialog. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Password Manager on Firefox for Android susceptible to domain spoofing"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2021-23/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2021-23/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1709257", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1709257"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:24:57.499Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-23/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1709257"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2021-29965", "datePublished": "2021-06-24T13:14:52", "dateReserved": "2021-04-01T00:00:00", "dateUpdated": "2024-08-03T22:24:57.499Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*", "matchCriteriaId": "E160B3A0-CAB8-4BB0-A7A2-5C7778D9254E", "versionEndExcluding": "89.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that triggered the dialog. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89."}, {"lang": "es", "value": "Un sitio web malicioso que causa que se genere un di\u00e1logo de autenticaci\u00f3n HTTP podr\u00eda enga\u00f1ar al gestor de contrase\u00f1as integrado para sugerir contrase\u00f1as para el sitio web actualmente activo en lugar del sitio web que desencaden\u00f3 el di\u00e1logo. *Este bug s\u00f3lo afecta a Firefox para Android. Otros sistemas operativos no est\u00e1n afectados. Esta vulnerabilidad afecta a Firefox versiones anteriores a 89"}], "id": "CVE-2021-29965", "lastModified": "2021-06-30T20:39:03.257", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-24T14:15:10.363", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1709257"}, {"source": "security@mozilla.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-23/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-610"}], "source": "nvd@nist.gov", "type": "Primary"}]}