CVE-2023-23602
published 2023-06-02CVE-2023-23602: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to…
PriorityP430medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
EPSS
0.60%
44.4th percentile
A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox < 109, Firefox ESR < 102.7, and Thunderbird < 102.7.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 109.0-1 (sid) | firefox 109.0-1 (sid) |
| debian | firefox-esr | < firefox 109.0-1 (sid) | firefox 109.0-1 (sid) |
| debian | thunderbird | < firefox 109.0-1 (sid) | firefox 109.0-1 (sid) |
| mozilla | firefox | < 109.0 | 109.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 109.0.1+build1-0ubuntu0.18.04.2 | 109.0.1+build1-0ubuntu0.18.04.2 |
| mozilla | firefox | >= 0 < 109.0+build2-0ubuntu0.18.04.1 | 109.0+build2-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 109.0.1+build1-0ubuntu0.20.04.2 | 109.0.1+build1-0ubuntu0.20.04.2 |
| mozilla | firefox | >= 0 < 109.0+build2-0ubuntu0.20.04.1 | 109.0+build2-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 109 | 109 |
| mozilla | firefox_esr | < 102.7 | 102.7 |
| mozilla | firefox_esr | >= unspecified < 102.7 | 102.7 |
| mozilla | thunderbird | < 102.7 | 102.7 |
| mozilla | thunderbird | >= 0 < 1:102.8.0-1~deb11u1 | 1:102.8.0-1~deb11u1 |
| mozilla | thunderbird | >= 0 < 1:102.7.1-1 | 1:102.7.1-1 |
| mozilla | thunderbird | >= 0 < 1:102.7.1-1 | 1:102.7.1-1 |
| mozilla | thunderbird | >= 0 < 1:102.7.1-1 | 1:102.7.1-1 |
| mozilla | thunderbird | >= 0 < 1:102.7.1+build2-0ubuntu0.18.04.1 | 1:102.7.1+build2-0ubuntu0.18.04.1 |
| mozilla | thunderbird | >= 0 < 1:102.7.1+build2-0ubuntu0.20.04.1 | 1:102.7.1+build2-0ubuntu0.20.04.1 |
| mozilla | thunderbird | >= 0 < 1:102.7.1+build2-0ubuntu0.22.04.1 | 1:102.7.1+build2-0ubuntu0.22.04.1 |
| mozilla | thunderbird | >= unspecified < 102.7 | 102.7 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-457f-c77p-7wc3: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored
ghsa_unreviewed·2023-06-02
CVE-2023-23602 [MEDIUM] CWE-754 GHSA-457f-c77p-7wc3: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored
A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.
OSV
CVE-2023-23602: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored
osv·2023-06-02·CVSS 6.5
CVE-2023-23602 [MEDIUM] CVE-2023-23602: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored
A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox < 109, Firefox ESR < 102.7, and Thunderbird < 102.7.
OSV
firefox regressions
osv·2023-02-06·CVSS 6.5
[MEDIUM] firefox regressions
firefox regressions
USN-5816-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Niklas Baumstark discovered that a compromised web child process of Firefox
could disable web security opening restrictions, leading to a new child
process being spawned within the file:// context. An attacker could
potentially exploits this to obtain sensitive information. (CVE-2023-23597)
Tom Schuster discovered that Firefox was not performing a validation check
on GTK drag data. An attacker could potentially exploits this to obtain
sensitive information. (CVE-2023-23598)
Vadim discovered that Firefox was not properly sanitizing a curl command
output when copying a network requ
OSV
thunderbird vulnerabilities
osv·2023-02-06·CVSS 6.5
CVE-2022-45403 [MEDIUM] thunderbird vulnerabilities
thunderbird vulnerabilities
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code. (CVE-2022-45403, CVE-2022-45404,
CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409,
CVE-2022-45410, CVE-2022-45411, CVE-2022-45418, CVE-2022-45420,
CVE-2022-45421, CVE-2022-46878, CVE-2022-46880, CVE-2022-46881,
CVE-2022-46882, CVE-2023-23605)
Armin Ebert discovered that Thunderbird did not properly manage memory
while resolving file symlink. If a user were tricked into opening a
specially crafted weblink, an attacker could pote
OSV
firefox vulnerabilities
osv·2023-01-23·CVSS 6.5
CVE-2023-23597 [MEDIUM] firefox vulnerabilities
firefox vulnerabilities
Niklas Baumstark discovered that a compromised web child process of Firefox
could disable web security opening restrictions, leading to a new child
process being spawned within the file:// context. An attacker could
potentially exploits this to obtain sensitive information. (CVE-2023-23597)
Tom Schuster discovered that Firefox was not performing a validation check
on GTK drag data. An attacker could potentially exploits this to obtain
sensitive information. (CVE-2023-23598)
Vadim discovered that Firefox was not properly sanitizing a curl command
output when copying a network request from the developer tools panel. An
attacker could potentially exploits this to hide and execute arbitrary
commands. (CVE-2023-23599)
Luan Herrera discovered that Firefox was not stop
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2023-02-06·CVSS 6.5
CVE-2022-45409 [MEDIUM] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code. (CVE-2022-45403, CVE-2022-45404,
CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409,
CVE-2022-45410, CVE-2022-45411, CVE-2022-45418, CVE-2022-45420,
CVE-2022-45421, CVE-2022-46878, CVE-2022-46880, CVE-2022-46881,
CVE-2022-46882, CVE-2023-23605)
Armin Ebert discovered that Thunderbird did not properly manage memory
while resolving file symlink. If a user were tric
Ubuntu
Firefox regressions
vendor_ubuntu·2023-02-06·CVSS 6.5
[MEDIUM] Firefox regressions
Title: Firefox regressions
Summary: USN-5816-1 caused some minor regressions in Firefox.
USN-5816-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Niklas Baumstark discovered that a compromised web child process of Firefox
could disable web security opening restrictions, leading to a new child
process being spawned within the file:// context. An attacker could
potentially exploits this to obtain sensitive information. (CVE-2023-23597)
Tom Schuster discovered that Firefox was not performing a validation check
on GTK drag data. An attacker could potentially exploits this to obtain
sensitive information. (CVE-2023-23598)
Vadim discovered that Firefox was not
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2023-01-23·CVSS 6.5
CVE-2023-23603 [MEDIUM] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Several security issues were fixed in Firefox.
Niklas Baumstark discovered that a compromised web child process of Firefox
could disable web security opening restrictions, leading to a new child
process being spawned within the file:// context. An attacker could
potentially exploits this to obtain sensitive information. (CVE-2023-23597)
Tom Schuster discovered that Firefox was not performing a validation check
on GTK drag data. An attacker could potentially exploits this to obtain
sensitive information. (CVE-2023-23598)
Vadim discovered that Firefox was not properly sanitizing a curl command
output when copying a network request from the developer tools panel. An
attacker could potentially exploits this to hide and execute arbitrary
commands. (CV
Red Hat
Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers
vendor_redhat·2023-01-17·CVSS 6.5
CVE-2023-23602 [MEDIUM] CWE-1385 Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers
Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers
A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox < 109, Firefox ESR < 102.7, and Thunderbird < 102.7.
The Mozilla Foundation Security Advisory describes this flaw as:
A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers.
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advis
Debian
CVE-2023-23602: firefox - A mishandled security check when creating a WebSocket in a WebWorker caused the ...
vendor_debian·2023·CVSS 6.5
CVE-2023-23602 [MEDIUM] CVE-2023-23602: firefox - A mishandled security check when creating a WebSocket in a WebWorker caused the ...
A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox < 109, Firefox ESR < 102.7, and Thunderbird < 102.7.
Scope: local
sid: resolved (fixed in 109.0-1)
Mozilla
Mozilla Foundation Security Advisory 2023-02: CVE-2023-23602
vendor_mozilla·CVSS 6.5
CVE-2023-23602 [MEDIUM] Mozilla Foundation Security Advisory 2023-02: CVE-2023-23602
Mozilla Foundation Security Advisory 2023-02
CVE: CVE-2023-23602
Product: Firefox ESR
Impact: high
Fixed in: Firefox ESR 102.7
Mozilla
Mozilla Foundation Security Advisory 2023-01: CVE-2023-23602
vendor_mozilla·CVSS 6.5
CVE-2023-23602 [MEDIUM] Mozilla Foundation Security Advisory 2023-01: CVE-2023-23602
Mozilla Foundation Security Advisory 2023-01
CVE: CVE-2023-23602
Product: Firefox
Impact: high
Fixed in: Firefox 109
Mozilla
Mozilla Foundation Security Advisory 2023-03: CVE-2023-23602
vendor_mozilla·CVSS 6.5
CVE-2023-23602 [MEDIUM] Mozilla Foundation Security Advisory 2023-03: CVE-2023-23602
Mozilla Foundation Security Advisory 2023-03
CVE: CVE-2023-23602
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 102.7
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugzilla.mozilla.org/show_bug.cgi?id=1800890https://www.mozilla.org/security/advisories/mfsa2023-01/https://www.mozilla.org/security/advisories/mfsa2023-02/https://www.mozilla.org/security/advisories/mfsa2023-03/https://bugzilla.mozilla.org/show_bug.cgi?id=1800890https://www.mozilla.org/security/advisories/mfsa2023-01/https://www.mozilla.org/security/advisories/mfsa2023-02/https://www.mozilla.org/security/advisories/mfsa2023-03/https://bugzilla.mozilla.org/show_bug.cgi?id=1800890
2023-06-02
Published