CVE-2023-4583 - OpenCVE

When checking if the Browsing Context had been discarded in `HttpBaseChannel`, if the load group was not available then it was assumed to have already been discarded which was not always the case for private channels after the private session had ended. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Mozilla	Firefox Esr Firefox Thunderbird

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:firefox_esr::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1842030	Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2023-34/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-36/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-38/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mozilla

Published: 2023-09-11T08:02:01.933Z

Updated: 2023-09-11T08:02:01.933Z

Reserved: 2023-08-29T03:37:00.389Z

Link: CVE-2023-4583

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-09-11T09:15:09.680

Modified: 2023-09-14T03:52:30.463

Link: CVE-2023-4583

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-4583", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2023-08-29T03:37:00.389Z", "datePublished": "2023-09-11T08:02:01.933Z", "dateUpdated": "2023-09-11T08:02:01.933Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "117", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "115.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "115.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "When checking if the Browsing Context had been discarded in `HttpBaseChannel`, if the load group was not available then it was assumed to have already been discarded which was not always the case for private channels after the private session had ended. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "When checking if the Browsing Context had been discarded in <code>HttpBaseChannel</code>, if the load group was not available then it was assumed to have already been discarded which was not always the case for private channels after the private session had ended. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2."}]}], "problemTypes": [{"descriptions": [{"description": "Browsing Context potentially not cleared when closing Private Window", "lang": "en", "type": "text"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1842030"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-34/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-36/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-38/"}], "credits": [{"lang": "en", "value": "Thejaka Maldeniya"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2023-09-11T08:02:01.933Z"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "97397EB0-B9CD-4C1F-B2DC-92F03D4DC61B", "versionEndExcluding": "117.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "3DB778E6-50ED-4395-AFA5-A0043AEB4382", "versionEndExcluding": "115.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "F88F4161-8C10-4753-BE49-8AE5FB965EE4", "versionEndExcluding": "115.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "When checking if the Browsing Context had been discarded in `HttpBaseChannel`, if the load group was not available then it was assumed to have already been discarded which was not always the case for private channels after the private session had ended. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2."}, {"lang": "es", "value": "Al comprobar si el contexto de navegaci\u00f3n se hab\u00eda descartado en `HttpBaseChannel`, si el grupo de carga no estaba disponible, se supon\u00eda que ya se hab\u00eda descartado, lo que no siempre era el caso para los canales privados despu\u00e9s de que finalizaba la sesi\u00f3n privada. Esta vulnerabilidad afecta a Firefox < 117, Firefox ESR < 115.2 y Thunderbird < 115.2."}], "id": "CVE-2023-4583", "lastModified": "2023-09-14T03:52:30.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-11T09:15:09.680", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1842030"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2023-34/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2023-36/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2023-38/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}