CVE-2021-23985Resource Exposure in Mozilla Firefox

CWE-668Resource Exposure7 documents6 sources
Severity
6.5MEDIUMNVD
OSV8.1
EPSS
1.3%
top 20.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxDebian Firefox
Timeline
PublishedMar 31
Latest updateMay 24

Description

If an attacker is able to alter specific about:config values (for example malware running on the user's computer), the Devtools remote debugging feature could have been enabled in a way that was unnoticable to the user. This would have allowed a remote attacker (able to make a direct network connection to the victim) to monitor the user's browsing activity and (plaintext) network traffic. This was addressed by providing a visual cue when Devtools has an open network socket. This vulnerability af

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

debiandebian/firefox< firefox 87.0-1 (sid)
CVEListV5mozilla/firefoxunspecified87
NVDmozilla/firefox< 87.0
Ubuntumozilla/firefox< 87.0+build3-0ubuntu0.16.04.2+2
mozillamozilla/firefox

🔴Vulnerability Details

3
GHSA
GHSA-9m9w-3428-h4cq: If an attacker is able to alter specific about:config values (for example malware running on the user's computer), the Devtools remote debugging featu2022-05-24
OSV
firefox vulnerabilities2021-03-25
OSV
CVE-2021-23985: If an attacker is able to alter specific about:config values (for example malware running on the user's computer), the Devtools remote debugging featu2021-03-25

📋Vendor Advisories

3
Ubuntu
Firefox vulnerabilities2021-03-25
Debian
CVE-2021-23985: firefox - If an attacker is able to alter specific about:config values (for example malwar...2021
Mozilla
Mozilla Foundation Security Advisory 2021-10: CVE-2021-23985