CVE-2021-43540 — Incorrect Permission Assignment in Mozilla Firefox

CWE-732 — Incorrect Permission Assignment9 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 41.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedDec 8

Latest updateDec 20

Description

WebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalled with the extension. This vulnerability affects Firefox < 95.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/firefox< firefox 95.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 95

▶NVDmozilla/firefox< 95.0

▶Ubuntumozilla/firefox< 95.0.1+build2-0ubuntu0.18.04.1+4

▶mozillamozilla/firefox

🔴Vulnerability Details

OSV

firefox regressions↗2021-12-20

▶

GHSA

GHSA-vj37-39rq-5f3g: WebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalle↗2021-12-09

▶

OSV

firefox vulnerabilities↗2021-12-09

▶

OSV

CVE-2021-43540: WebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalle↗2021-12-08

▶

📋Vendor Advisories

Ubuntu

Firefox regressions↗2021-12-20

▶

Ubuntu

Firefox vulnerabilities↗2021-12-09

▶

Debian

CVE-2021-43540: firefox - WebExtensions with the correct permissions were able to create and install Servi...↗2021

▶

Mozilla

Mozilla Foundation Security Advisory 2021-52: CVE-2021-43540↗

▶