CVE-2023-4104

CWE-862Missing Authorization6 documents6 sources
Severity
5.5MEDIUM
EPSS
0.3%
top 47.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla Mozilla VPN 2.16.1Mozilla VPN
Timeline
PublishedSep 11

Description

An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN setups. *This bug only affects Mozilla VPN on Linux. Other operating systems are unaffected.* This vulnerability affects Mozilla VPN 2.16.1 < (Linux).

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

NVDmozilla/vpn< 2.16.1
CVEListV5mozilla/mozilla_vpn_2.16.1unspecified(Linux)

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
CVE-2023-4104: An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN set2023-09-11
GHSA
GHSA-f2fh-jcp2-h8mp: An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN set2023-09-11
CVEList
CVE-2023-4104: An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN set2023-09-11

📋Vendor Advisories

2
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Web Console Design (Apache Log4j) — CVE-2021-41042023-07-15
Mozilla
Mozilla Foundation Security Advisory 2023-39: CVE-2023-4104
CVE-2023-4104 (MEDIUM CVSS 5.5) | An invalid Polkit Authentication ch | cvebase.io