CVE-2021-38505
Published: 8 December 2021
Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Firefox before versions 94 and ESR 91.3 did not implement them. This could have caused sensitive data to be recorded to a user's Microsoft account. *This bug only affects Firefox for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected.*. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.
Notes
Author | Note |
---|---|
tyhicks | mozjs contains a copy of the SpiderMonkey JavaScript engine |
Priority
Status
Package | Release | Status |
---|---|---|
firefox Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(Windows only)
|
focal |
Not vulnerable
(Windows only)
|
|
hirsute |
Not vulnerable
(Windows only)
|
|
impish |
Not vulnerable
(Windows only)
|
|
jammy |
Not vulnerable
(Windows only)
|
|
kinetic |
Not vulnerable
(Windows only)
|
|
lunar |
Not vulnerable
(Windows only)
|
|
mantic |
Not vulnerable
(Windows only)
|
|
noble |
Not vulnerable
(Windows only)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(94)
|
|
xenial |
Not vulnerable
(Windows only)
|
|
mozjs38 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
mozjs52 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
mozjs68 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Needs triage
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
mozjs78 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Needs triage
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
thunderbird Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(Windows only)
|
focal |
Not vulnerable
(Windows only)
|
|
hirsute |
Not vulnerable
(Windows only)
|
|
impish |
Not vulnerable
(Windows only)
|
|
jammy |
Not vulnerable
(Windows only)
|
|
kinetic |
Not vulnerable
(Windows only)
|
|
lunar |
Not vulnerable
(Windows only)
|
|
mantic |
Not vulnerable
(Windows only)
|
|
noble |
Not vulnerable
(Windows only)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(91.3)
|
|
xenial |
Not vulnerable
(Windows only)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |