CVE-2021-23963 — Improper Preservation of Permissions in Mozilla Firefox

CWE-281 — Improper Preservation of Permissions6 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 64.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedFeb 26

Latest updateMay 24

Description

When sharing geolocation during an active WebRTC share, Firefox could have reset the webRTC sharing state in the user interface, leading to loss of control over the currently granted permission. This vulnerability affects Firefox < 85.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶debiandebian/firefox< firefox 85.0-1 (sid)

▶CVEListV5mozilla/firefox< 85

▶NVDmozilla/firefox< 85.0

▶Ubuntumozilla/firefox< 85.0+build1-0ubuntu0.16.04.1+2

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-398j-x47f-2q99: When sharing geolocation during an active WebRTC share, Firefox could have reset the webRTC sharing state in the user interface, leading to loss of co↗2022-05-24

▶

OSV

CVE-2021-23963: When sharing geolocation during an active WebRTC share, Firefox could have reset the webRTC sharing state in the user interface, leading to loss of co↗2021-01-26

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2021-02-01

▶

Debian

CVE-2021-23963: firefox - When sharing geolocation during an active WebRTC share, Firefox could have reset...↗2021

▶

Mozilla

Mozilla Foundation Security Advisory 2021-03: CVE-2021-23963↗

▶