CVE-2023-29532 — Logging of Excessive Data in Mozilla Firefox
Severity
5.5MEDIUMNVD
EPSS
0.1%
top 75.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 19
Description
A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not work on a SMB server.
*Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10…
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6
Affected Packages6 packages
🔴Vulnerability Details
3OSV▶
CVE-2023-29532: A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malici↗2023-06-19
GHSA▶
GHSA-f2q9-pfpx-m83g: A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malici↗2023-06-19
CVEList▶
CVE-2023-29532: A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malici↗2023-06-19
📋Vendor Advisories
5Debian▶
CVE-2023-29532: firefox - A local attacker can trick the Mozilla Maintenance Service into applying an unsi...↗2023