CVE-2021-29954 — Cleartext Storage of Sensitive Info in Mozilla Hubs Cloud

CWE-312 — Cleartext Storage of Sensitive Info3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.2%

top 61.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Hubs Cloud Mozilla Hubs Cloud Reticulum Mozilla Firefox

Timeline

PublishedJun 24

Latest updateMay 24

Description

Proxy functionality built into Hubs Cloud’s Reticulum software allowed access to internal URLs, including the metadata service. This vulnerability affects Hubs Cloud < mozillareality/reticulum/1.0.1/20210428201255.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDmozilla/hubs_cloud_reticulum< 1.0.1

▶CVEListV5mozilla/hubs_cloudunspecified — mozillareality/reticulum/1.0.1/20210428201255

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-xph6-frvr-hq8f: Proxy functionality built into Hubs Cloud’s Reticulum software allowed access to internal URLs, including the metadata service↗2022-05-24

▶

📋Vendor Advisories

Mozilla

Mozilla Foundation Security Advisory 2021-21: CVE-2021-29954↗

▶