Vulnerability CVE-2021-23969: Information

Description

As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.

Severity: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-23969

Published: Feb. 26, 2021

Modified: May 27, 2022

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
firefox	sisyphus	86.0-alt1	127.0-alt1	ALT-PU-2021-1428-1	267257	Fixed
firefox	p10	86.0-alt1	118.0.2-alt0.p10.1	ALT-PU-2021-1428-1	267257	Fixed
firefox	p9	93.0-alt0.p9.1	105.0.1-alt0.c9.1	ALT-PU-2022-1782-1	288073	Fixed
firefox	c10f1	86.0-alt1	112.0.2-alt0.p10.1	ALT-PU-2021-1428-1	267257	Fixed
firefox	c9f2	93.0-alt0.p9.1	105.0.1-alt0.c9.1	ALT-PU-2021-3368-1	288792	Fixed
firefox	p11	86.0-alt1	126.0.1-alt1	ALT-PU-2021-1428-1	267257	Fixed
firefox-esr	sisyphus	78.8.0-alt1	115.11.0-alt1	ALT-PU-2021-1396-1	266839	Fixed
firefox-esr	p10	91.1.0-alt1	115.11.0-alt1	ALT-PU-2021-2881-1	284980	Fixed
firefox-esr	p9	78.8.0-alt0.1.p9	102.11.0-alt0.c9.1	ALT-PU-2021-1410-1	266920	Fixed
firefox-esr	c10f1	91.1.0-alt1	115.9.1-alt0.c10.1	ALT-PU-2021-2881-1	284980	Fixed
firefox-esr	c9f2	91.3.0-alt1.c9.1	102.12.0-alt0.c9.1	ALT-PU-2021-3369-1	288792	Fixed
firefox-esr	p11	78.8.0-alt1	115.11.0-alt1	ALT-PU-2021-1396-1	266839	Fixed
thunderbird	sisyphus	78.8.0-alt1	115.9.0-alt1	ALT-PU-2021-1399-1	266955	Fixed
thunderbird	p10	78.8.0-alt1	115.9.0-alt1	ALT-PU-2021-1399-1	266955	Fixed
thunderbird	p9	78.8.0-alt0.1.p9	102.11.0-alt0.c9.1	ALT-PU-2021-1430-1	266984	Fixed
thunderbird	c10f1	78.8.0-alt1	115.9.0-alt0.c10.1	ALT-PU-2021-1399-1	266955	Fixed
thunderbird	c9f2	78.8.0-alt0.1.c9	102.11.0-alt0.c9.1	ALT-PU-2021-1418-1	267016	Fixed
thunderbird	p11	78.8.0-alt1	115.9.0-alt1	ALT-PU-2021-1399-1	266955	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1542194	Issue Tracking Permissions Required Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-08/	Release Notes Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-09/	Release Notes Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-07/	Release Notes Vendor Advisory
[debian-lts-announce] 20210301 [SECURITY] [DLA 2578-1] thunderbird security update	Mailing List Third Party Advisory
DSA-4866	Third Party Advisory
GLSA-202104-09	Third Party Advisory
GLSA-202104-10	Third Party Advisory

Affected configurations:
1. Configuration 1
  cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
  End excliding
  86.0
  cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
  End excliding
  78.8
  cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
  End excliding
  78.8
  
  Configuration 2
  cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Version: v24.5.3

Vulnerability CVE-2021-23969: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2