CVE-2023-23597Inadequate Encryption Strength in Mozilla Firefox

CWE-326Inadequate Encryption Strength9 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 72.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxDebian Firefox
Timeline
PublishedJun 2

Description

A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the `file://` context. Given a reliable exploit primitive, this new process could be exploited again leading to arbitrary file read. This vulnerability affects Firefox < 109.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

debiandebian/firefox< firefox 109.0-1 (sid)
CVEListV5mozilla/firefoxunspecified109
NVDmozilla/firefox< 109.0
Ubuntumozilla/firefox< 109.0.1+build1-0ubuntu0.18.04.2+3
mozillamozilla/firefox

🔴Vulnerability Details

4
GHSA
GHSA-5gvm-v5f4-x692: A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the file:// conte2023-06-02
OSV
firefox regressions2023-02-06
OSV
firefox vulnerabilities2023-01-23
OSV
CVE-2023-23597: A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the `file://` con2023-01-18

📋Vendor Advisories

4
Ubuntu
Firefox regressions2023-02-06
Ubuntu
Firefox vulnerabilities2023-01-23
Debian
CVE-2023-23597: firefox - A compromised web child process could disable web security opening restrictions,...2023
Mozilla
Mozilla Foundation Security Advisory 2023-01: CVE-2023-23597
CVE-2023-23597 — Inadequate Encryption Strength | cvebase