Main Vulnerability Database SB2021050422

SB2021050422 - Security restrictions bypass in Mozilla Thunderbird

Published: May 4, 2021

Security Bulletin ID SB2021050422

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Security restrictions bypass (CVE-ID: CVE-2021-29951)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to the way Mozilla Maintenance Service is installed in the Windows operating system. After installation the Mozilla Maintenance Service is granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. A local domain user can spam the "Stop" command and prevent the browser update service from operating.

The vulnerability affects only Firefox ESR installed on operating system Windows 10 build 1709 and older.

Remediation

Install update from vendor's website.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2021-19/