gsd - gsd-2023-23602

gsd-2023-23602

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.

Aliases

CVE-2023-23602

Aliases

CVE-2023-23602

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-23602",
    "id": "GSD-2023-23602",
    "references": [
      "https://www.suse.com/security/cve/CVE-2023-23602.html",
      "https://www.debian.org/security/2023/dsa-5322",
      "https://www.debian.org/security/2023/dsa-5355",
      "https://advisories.mageia.org/CVE-2023-23602.html",
      "https://access.redhat.com/errata/RHSA-2023:0285",
      "https://access.redhat.com/errata/RHSA-2023:0286",
      "https://access.redhat.com/errata/RHSA-2023:0288",
      "https://access.redhat.com/errata/RHSA-2023:0289",
      "https://access.redhat.com/errata/RHSA-2023:0290",
      "https://access.redhat.com/errata/RHSA-2023:0294",
      "https://access.redhat.com/errata/RHSA-2023:0295",
      "https://access.redhat.com/errata/RHSA-2023:0296",
      "https://access.redhat.com/errata/RHSA-2023:0456",
      "https://access.redhat.com/errata/RHSA-2023:0457",
      "https://access.redhat.com/errata/RHSA-2023:0459",
      "https://access.redhat.com/errata/RHSA-2023:0460",
      "https://access.redhat.com/errata/RHSA-2023:0461",
      "https://access.redhat.com/errata/RHSA-2023:0462",
      "https://access.redhat.com/errata/RHSA-2023:0463",
      "https://access.redhat.com/errata/RHSA-2023:0476",
      "https://ubuntu.com/security/CVE-2023-23602"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-23602"
      ],
      "details": "A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox \u003c 109, Thunderbird \u003c 102.7, and Firefox ESR \u003c 102.7.",
      "id": "GSD-2023-23602",
      "modified": "2023-12-13T01:20:50.140203Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@mozilla.org",
        "ID": "CVE-2023-23602",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Firefox",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "109"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Thunderbird",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "102.7"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Firefox ESR",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "102.7"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Mozilla"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox \u003c 109, Thunderbird \u003c 102.7, and Firefox ESR \u003c 102.7."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Content Security Policy wasn\u0027t being correctly applied to WebSockets in WebWorkers"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.mozilla.org/security/advisories/mfsa2023-02/",
            "refsource": "MISC",
            "url": "https://www.mozilla.org/security/advisories/mfsa2023-02/"
          },
          {
            "name": "https://www.mozilla.org/security/advisories/mfsa2023-01/",
            "refsource": "MISC",
            "url": "https://www.mozilla.org/security/advisories/mfsa2023-01/"
          },
          {
            "name": "https://www.mozilla.org/security/advisories/mfsa2023-03/",
            "refsource": "MISC",
            "url": "https://www.mozilla.org/security/advisories/mfsa2023-03/"
          },
          {
            "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1800890",
            "refsource": "MISC",
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1800890"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "109.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "102.7",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "102.7",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2023-23602"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox \u003c 109, Thunderbird \u003c 102.7, and Firefox ESR \u003c 102.7."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-754"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2023-01/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.mozilla.org/security/advisories/mfsa2023-01/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2023-03/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.mozilla.org/security/advisories/mfsa2023-03/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2023-02/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.mozilla.org/security/advisories/mfsa2023-02/"
            },
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1800890",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Permissions Required",
                "Vendor Advisory"
              ],
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1800890"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-06-08T16:34Z",
      "publishedDate": "2023-06-02T17:15Z"
    }
  }
}

cve-2023-23602

Vulnerability from cvelistv5

Published

2023-06-02 00:00

Modified

2024-08-02 10:35

Severity ?

Summary

References

▼	URL	Tags
	https://www.mozilla.org/security/advisories/mfsa2023-02/
	https://www.mozilla.org/security/advisories/mfsa2023-01/
	https://www.mozilla.org/security/advisories/mfsa2023-03/
	https://bugzilla.mozilla.org/show_bug.cgi?id=1800890

Impacted products

▼	Vendor	Product
	Mozilla	Firefox
	Mozilla	Thunderbird
	Mozilla	Firefox ESR

Show details on NVD website