CVE-2023-23597
published 2023-06-02CVE-2023-23597: A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the `file://` context…
PriorityP433medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
0.34%
25.9th percentile
A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the `file://` context. Given a reliable exploit primitive, this new process could be exploited again leading to arbitrary file read. This vulnerability affects Firefox < 109.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 109.0-1 (sid) | firefox 109.0-1 (sid) |
| mozilla | firefox | < 109.0 | 109.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 109.0.1+build1-0ubuntu0.18.04.2 | 109.0.1+build1-0ubuntu0.18.04.2 |
| mozilla | firefox | >= 0 < 109.0+build2-0ubuntu0.18.04.1 | 109.0+build2-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 109.0.1+build1-0ubuntu0.20.04.2 | 109.0.1+build1-0ubuntu0.20.04.2 |
| mozilla | firefox | >= 0 < 109.0+build2-0ubuntu0.20.04.1 | 109.0+build2-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 109 | 109 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5gvm-v5f4-x692: A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the file:// conte
ghsa_unreviewed·2023-06-02
CVE-2023-23597 [MEDIUM] CWE-326 GHSA-5gvm-v5f4-x692: A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the file:// conte
A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the file:// context. Given a reliable exploit primitive, this new process could be exploited again leading to arbitrary file read. This vulnerability affects Firefox < 109.
OSV
firefox regressions
osv·2023-02-06·CVSS 6.5
[MEDIUM] firefox regressions
firefox regressions
USN-5816-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Niklas Baumstark discovered that a compromised web child process of Firefox
could disable web security opening restrictions, leading to a new child
process being spawned within the file:// context. An attacker could
potentially exploits this to obtain sensitive information. (CVE-2023-23597)
Tom Schuster discovered that Firefox was not performing a validation check
on GTK drag data. An attacker could potentially exploits this to obtain
sensitive information. (CVE-2023-23598)
Vadim discovered that Firefox was not properly sanitizing a curl command
output when copying a network requ
OSV
firefox vulnerabilities
osv·2023-01-23·CVSS 6.5
CVE-2023-23597 [MEDIUM] firefox vulnerabilities
firefox vulnerabilities
Niklas Baumstark discovered that a compromised web child process of Firefox
could disable web security opening restrictions, leading to a new child
process being spawned within the file:// context. An attacker could
potentially exploits this to obtain sensitive information. (CVE-2023-23597)
Tom Schuster discovered that Firefox was not performing a validation check
on GTK drag data. An attacker could potentially exploits this to obtain
sensitive information. (CVE-2023-23598)
Vadim discovered that Firefox was not properly sanitizing a curl command
output when copying a network request from the developer tools panel. An
attacker could potentially exploits this to hide and execute arbitrary
commands. (CVE-2023-23599)
Luan Herrera discovered that Firefox was not stop
OSV
CVE-2023-23597: A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the `file://` con
osv·2023-01-18·CVSS 6.5
CVE-2023-23597 [MEDIUM] CVE-2023-23597: A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the `file://` con
A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the `file://` context. Given a reliable exploit primitive, this new process could be exploited again leading to arbitrary file read. This vulnerability affects Firefox < 109.
Ubuntu
Firefox regressions
vendor_ubuntu·2023-02-06·CVSS 6.5
[MEDIUM] Firefox regressions
Title: Firefox regressions
Summary: USN-5816-1 caused some minor regressions in Firefox.
USN-5816-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Niklas Baumstark discovered that a compromised web child process of Firefox
could disable web security opening restrictions, leading to a new child
process being spawned within the file:// context. An attacker could
potentially exploits this to obtain sensitive information. (CVE-2023-23597)
Tom Schuster discovered that Firefox was not performing a validation check
on GTK drag data. An attacker could potentially exploits this to obtain
sensitive information. (CVE-2023-23598)
Vadim discovered that Firefox was not
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2023-01-23·CVSS 6.5
CVE-2023-23603 [MEDIUM] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Several security issues were fixed in Firefox.
Niklas Baumstark discovered that a compromised web child process of Firefox
could disable web security opening restrictions, leading to a new child
process being spawned within the file:// context. An attacker could
potentially exploits this to obtain sensitive information. (CVE-2023-23597)
Tom Schuster discovered that Firefox was not performing a validation check
on GTK drag data. An attacker could potentially exploits this to obtain
sensitive information. (CVE-2023-23598)
Vadim discovered that Firefox was not properly sanitizing a curl command
output when copying a network request from the developer tools panel. An
attacker could potentially exploits this to hide and execute arbitrary
commands. (CV
Debian
CVE-2023-23597: firefox - A compromised web child process could disable web security opening restrictions,...
vendor_debian·2023·CVSS 6.5
CVE-2023-23597 [MEDIUM] CVE-2023-23597: firefox - A compromised web child process could disable web security opening restrictions,...
A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the `file://` context. Given a reliable exploit primitive, this new process could be exploited again leading to arbitrary file read. This vulnerability affects Firefox < 109.
Scope: local
sid: resolved (fixed in 109.0-1)
Mozilla
Mozilla Foundation Security Advisory 2023-01: CVE-2023-23597
vendor_mozilla·CVSS 6.5
CVE-2023-23597 [MEDIUM] Mozilla Foundation Security Advisory 2023-01: CVE-2023-23597
Mozilla Foundation Security Advisory 2023-01
CVE: CVE-2023-23597
Product: Firefox
Impact: high
Fixed in: Firefox 109
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-06-02
Published