Closed Bug 1719332 Opened 3 years ago Closed 3 years ago

Local file access affecting FIrefox ESR (Vulnerable to CVE-2021-23956)

Categories

(Firefox :: Security, task)

Product:
Firefox
Component:
Security
Type:
task

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1338637

People

(Reporter: nowasky.jr, Unassigned)

Details

(Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Hello,

Firefox ESR 78.11 is vulnerable to CVE-2021-23956 - Bug 1338637:

By holding the ENTER key the File Dialog is opened and the current folder is selected, giving the page access to its files.

I've made a POC that is available at https://storage.googleapis.com/nowa0/v4.final.html

Flags: sec-bounty?

bug 1338637 is public, and is marked as fixed in Firefox 85, so I don't think it's surprising that 78 esr is vulnerable...

Dan, should we try to get 1338637 uplifted? Was this just missed because the bug got marked public after the exploit had been tweeted about, so we stopped tracking it for security uplifts (and because we don't always uplift sec-moderate to ESR, IIRC) ?

Flags: needinfo?(dveditz)

whether the bug is public makes no difference, it's that we generally don't uplift sec-moderates that aren't deemed very dangerous. Especially when the fix requires additional localization.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(dveditz)
Resolution: --- → DUPLICATE

(In reply to Daniel Veditz [:dveditz] from comment #2)

whether the bug is public makes no difference, it's that we generally don't uplift sec-moderates that aren't deemed very dangerous. Especially when the fix requires additional localization.

*** This bug has been marked as a duplicate of bug 1338637 ***

Ah, bother - this is what I get for trying to go through a month of sec-sensitive bug mail in one go. :-(
Yeah, the l10n aspect means uplift isn't really plausible.

Group: firefox-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.