CVE-2021-24002: 
NixOS vulnerability analysis and mitigation

CVE-2021-24002 is a security vulnerability discovered in Mozilla Firefox browsers that affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. The vulnerability was discovered by Daniel Santos and disclosed on April 19, 2021. The issue allows arbitrary command execution on FTP servers through specially crafted FTP URLs containing encoded newline characters (Mozilla Advisory, CVE Details).

The vulnerability occurs when a user clicks on an FTP URL containing encoded newline characters (%0A and %0D). These special characters are interpreted as actual newlines, allowing arbitrary commands to be sent to the FTP server. The vulnerability was introduced when a previous security check for special characters was accidentally removed during code changes (Mozilla Bug). The issue is rated as moderate severity, with a CVSS 3.1 score of 5.5 (AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L) (Mozilla Bug).

The vulnerability allows attackers to execute arbitrary FTP commands on servers that the victim has access to. This could lead to unauthorized file deletion or remote file downloads. More significantly, attackers could use PORT commands to download files from internal FTP servers to attacker-controlled servers, potentially exposing sensitive data from corporate networks that are not directly accessible from the internet (Mozilla Bug).

The vulnerability was fixed in Firefox 88, Firefox ESR 78.10, and Thunderbird 78.10. The fix involves rejecting URLs that contain embedded \r\n\0 characters. Additionally, FTP support was disabled by default in Firefox 88, though it could still be enabled via preference settings or web extensions (Mozilla Advisory).