CVE-2021-29974: 
NixOS vulnerability analysis and mitigation

CVE-2021-29974 is a security vulnerability discovered in Mozilla Firefox versions prior to 90.0. The issue emerged when network partitioning was enabled, particularly through Enhanced Tracking Protection settings. In this scenario, Firefox would incorrectly allow users to override TLS error pages on domains that had specified HTTP Strict Transport Security (HSTS), which by design should not be override-able (Mozilla Advisory, NVD).

The vulnerability stems from Firefox using incorrect Origin Attributes (OAs) when checking HSTS state during the loading of certificate error pages. Specifically, the browser used OAs without the partitionKey to check the HSTS state, resulting in an incorrect state being displayed on the error page. While this did not affect the actual network layer HSTS implementation, it allowed users to bypass security restrictions that should have been enforced (Mozilla Bug). The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) and a CVSS v2.0 Base Score of 2.6 (Low) (NVD).

The impact of this vulnerability was moderate, as it could allow users to bypass HSTS protections on affected domains. While the network connections were still correctly upgraded to HTTPS automatically, the vulnerability created a situation where users could override security errors that should have been non-overrideable, potentially exposing them to man-in-the-middle attacks (Mozilla Advisory).

The vulnerability was fixed in Firefox 90.0. Users and organizations were advised to upgrade to this version or later to address the issue. The fix involved modifying Firefox to use the correct Origin Attributes with the partitionKey when checking HSTS state in the nsDocShell component (Mozilla Bug). Various Linux distributions also released security updates to address this vulnerability, including Ubuntu and Gentoo (Ubuntu Notice, Gentoo Advisory).