CVE-2021-23969
MEDIUMFirefox < 86.0, Firefox ESR < 78.8, Thunderbird < 78.8 - Information Disclosure via CSP Redirect Handling
Title source: llmDescription
As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.
References (8)
Core 8
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.mozilla.org/security/advisories/mfsa2021-07/
Release Notes, Vendor Advisory x_refsource_misc
https://www.mozilla.org/security/advisories/mfsa2021-09/
Release Notes, Vendor Advisory x_refsource_misc
https://www.mozilla.org/security/advisories/mfsa2021-08/
Issue Tracking, Permissions Required, Vendor Advisory x_refsource_misc
https://bugzilla.mozilla.org/show_bug.cgi?id=1542194
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/03/msg00000.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2021/dsa-4866
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202104-10
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202104-09
Scores
CVSS v3
4.3
EPSS
0.0076
EPSS Percentile
73.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Details
Status
published
Products (5)
debian/debian_linux
9.0
debian/debian_linux
10.0
mozilla/firefox
< 86.0
mozilla/firefox_esr
< 78.8
mozilla/thunderbird
< 78.8
Published
Feb 26, 2021
Tracked Since
Feb 18, 2026