CVE-2021-23975 — Missing Authorization in Mozilla Firefox

CWE-862 — Missing Authorization6 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 47.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedFeb 26

Latest updateMay 24

Description

The developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes. When this function was invoked we incorrectly called the sizeof function, instead of using the API method that checks for invalid pointers. This vulnerability affects Firefox < 86.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/firefox< firefox 86.0-1 (sid)

▶CVEListV5mozilla/firefox< 86

▶NVDmozilla/firefox< 86.0

▶Ubuntumozilla/firefox< 86.0+build3-0ubuntu0.16.04.1+2

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-2r68-8x78-ffgh: The developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes↗2022-05-24

▶

OSV

CVE-2021-23975: The developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes↗2021-02-26

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2021-02-26

▶

Debian

CVE-2021-23975: firefox - The developer page about:memory has a Measure function for exploring what object...↗2021

▶

Mozilla

Mozilla Foundation Security Advisory 2021-07: CVE-2021-23975↗

▶