CVE-2021-38510 — Command Injection in Mozilla Firefox

CWE-77 — Command Injection10 documents8 sources

Severity

8.8HIGHNVD

EPSS

0.5%

top 35.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedDec 8

Latest updateAug 21

Description

The executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.*Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶CVEListV5mozilla/firefoxunspecified — 94

▶NVDmozilla/firefox< 94.0

▶CVEListV5mozilla/firefox_esrunspecified — 91.3

▶NVDmozilla/firefox_esr< 91.3.0

▶CVEListV5mozilla/thunderbirdunspecified — 91.3

🔴Vulnerability Details

GHSA

GHSA-h8g4-jwjc-gf58: The executable file warning was not presented when downloading↗2021-12-09

▶

OSV

CVE-2021-38510: The executable file warning was not presented when downloading↗2021-12-08

▶

CVEList

CVE-2021-38510: The executable file warning was not presented when downloading↗2021-12-08

▶

📋Vendor Advisories

Red Hat

Mozilla: Download Protections were bypassed by .inetloc files on Mac OS↗2021-11-02

▶

Debian

CVE-2021-38510: firefox - The executable file warning was not presented when downloading .inetloc files, w...↗2021

▶

Mozilla

Mozilla Foundation Security Advisory 2021-49: CVE-2021-38510↗

▶

Mozilla

Mozilla Foundation Security Advisory 2021-48: CVE-2021-38510↗

▶

Mozilla

Mozilla Foundation Security Advisory 2021-50: CVE-2021-38510↗

▶

💬Community

Bugzilla

Mozilla Firefox Download Protections were bypassed by .atloc / .ftploc files on MacOS↗2022-08-21

▶