Original Issue Date: August 31, 2021
Severity Rating: HIGH
Software Affected
Mozilla Firefox versions prior to 91.0.1
Mozilla Firefox Thunderbird version prior to 91.0.1
Overview
A vulnerability has been reported in Mozilla products which could allow a remote attacker to perform header splitting attack against servers using HTTP/3.
Description
This vulnerability exists in Mozilla products due to incorrect acceptance of a newline in a HTTP/3 header, and interpreting it as two separate headers. A remote attacker could exploit this vulnerability using HTTP/3 Responses to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked.
Successful exploitation of the vulnerability could lead to header splitting attack (Improper Neutralization of CRLF Sequences in HTTP Headers) against servers using HTTP/3.
Solution
Upgrade to Mozilla Firefox versions prior to 91.0.1and Firefox Thunderbird version prior to 91.0.1