CVE-2021-23953

high

Published 2021-01-27 · Modified 2021-01-28

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.0

Description

If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description Mozilla: Cross-origin information leakage via redirected PDF requests CVSS v3: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Enterprise Linux 7firefox-0:78.7.0-2.el7_9RHSA-2021:02902021-01-28T00:00:00Z Red Hat Enterprise Linux 7thunderbird-0:78.7.0-1.el7_9RHSA-2021:02972021-01-28T00:00:00Z Red Hat Enterprise Linux…

Description

Mozilla: Cross-origin information leakage via redirected PDF requests

CVSS v3: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 7	`firefox-0:78.7.0-2.el7_9`	RHSA-2021:0290	2021-01-28T00:00:00Z
Red Hat Enterprise Linux 7	`thunderbird-0:78.7.0-1.el7_9`	RHSA-2021:0297	2021-01-28T00:00:00Z
Red Hat Enterprise Linux 8	`firefox-0:78.7.0-2.el8_3`	RHSA-2021:0288	2021-01-27T00:00:00Z
Red Hat Enterprise Linux 8	`thunderbird-0:78.7.0-1.el8_3`	RHSA-2021:0298	2021-01-28T00:00:00Z
Red Hat Enterprise Linux 8.1 Extended Update Support	`firefox-0:78.7.0-2.el8_1`	RHSA-2021:0285	2021-01-27T00:00:00Z
Red Hat Enterprise Linux 8.1 Extended Update Support	`thunderbird-0:78.7.0-1.el8_1`	RHSA-2021:0397	2021-02-03T00:00:00Z
Red Hat Enterprise Linux 8.2 Extended Update Support	`firefox-0:78.7.0-2.el8_2`	RHSA-2021:0289	2021-01-27T00:00:00Z
Red Hat Enterprise Linux 8.2 Extended Update Support	`thunderbird-0:78.7.0-1.el8_2`	RHSA-2021:0299	2021-01-28T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 6	`firefox`	Out of support scope
Red Hat Enterprise Linux 6	`thunderbird`	Out of support scope

Apply commands

bash fix

Apply RHSA-2021:0290 for Red Hat Enterprise Linux 7

yum update -y firefox
# or:
dnf upgrade -y firefox

OS impact

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Arch Fixed 1 release

Version	Status	Fixed in
—	Fixed	`78.7.0-1`

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`78.7.0esr-1`
sid	Fixed	`85.0-1`
forky	Fixed	`78.7.0esr-1`
bullseye	Fixed	`78.7.0esr-1`
bookworm	Fixed	`78.7.0esr-1`

Red Hat Fixed 1 release

Version	Status	Fixed in
8	Fixed	—

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.