Описание
Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3. This vulnerability affects Firefox < 91.0.1 and Thunderbird < 91.0.1.
The Mozilla Foundation Security Advisory describes this flaw as:
Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | firefox | Out of support scope | ||
| Red Hat Enterprise Linux 6 | thunderbird | Out of support scope | ||
| Red Hat Enterprise Linux 7 | firefox | Fix deferred | ||
| Red Hat Enterprise Linux 7 | thunderbird | Fix deferred | ||
| Red Hat Enterprise Linux 8 | firefox | Fix deferred | ||
| Red Hat Enterprise Linux 8 | thunderbird | Fix deferred | ||
| Red Hat Enterprise Linux 9 | firefox | Not affected | ||
| Red Hat Enterprise Linux 9 | thunderbird | Not affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3. This vulnerability affects Firefox < 91.0.1 and Thunderbird < 91.0.1.
Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3. This vulnerability affects Firefox < 91.0.1 and Thunderbird < 91.0.1.
Firefox incorrectly accepted a newline in a HTTP/3 header, interpretti ...
Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3. This vulnerability affects Firefox < 91.0.1 and Thunderbird < 91.0.1.
Уязвимость почтового клиента Thunderbird, браузера Firefox, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)
7.5 High
CVSS3