SUSE update for MozillaFirefox



Published: 2023-09-08
Risk High
Patch available YES
Number of vulnerabilities 13
CVE-ID CVE-2023-4051
CVE-2023-4053
CVE-2023-4574
CVE-2023-4575
CVE-2023-4576
CVE-2023-4577
CVE-2023-4578
CVE-2023-4580
CVE-2023-4581
CVE-2023-4582
CVE-2023-4583
CVE-2023-4584
CVE-2023-4585
CWE-ID CWE-357
CWE-416
CWE-190
CWE-119
CWE-400
CWE-312
CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		SUSE Linux Enterprise Software Development Kit 12
Operating systems & Components / Operating system

SUSE Linux Enterprise Server for SAP Applications 12
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 12
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing 12
Operating systems & Components / Operating system

MozillaFirefox
Operating systems & Components / Operating system package or component

MozillaFirefox-translations-common
Operating systems & Components / Operating system package or component

MozillaFirefox-devel
Operating systems & Components / Operating system package or component

MozillaFirefox-debuginfo
Operating systems & Components / Operating system package or component

MozillaFirefox-debugsource
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 13 vulnerabilities.

1) Insufficient UI Warning of Dangerous Operations

EUVDB-ID: #VU78851

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4051

CWE-ID: CWE-357 - Insufficient UI Warning of Dangerous Operations

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error when displaying the full screen notification by using the file open dialog. A remote attacker can trick the victim into clocking on the file open dialog and perform spoofing attack.

Mitigation

Update the affected package MozillaFirefox to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Software Development Kit 12: SP5

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

MozillaFirefox: before 115.2.0-112.176.1

MozillaFirefox-translations-common: before 115.2.0-112.176.1

MozillaFirefox-devel: before 115.2.0-112.176.1

MozillaFirefox-debuginfo: before 115.2.0-112.176.1

MozillaFirefox-debugsource: before 115.2.0-112.176.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20233559-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Insufficient UI Warning of Dangerous Operations

EUVDB-ID: #VU78853

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4053

CWE-ID: CWE-357 - Insufficient UI Warning of Dangerous Operations

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due an error when handling full screen notifications. A malicious website can obscure the full screen notification by using a URL with a scheme handled by an external program, such as a mailto URL, and perform spoofing attack.

Mitigation

Update the affected package MozillaFirefox to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Software Development Kit 12: SP5

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

MozillaFirefox: before 115.2.0-112.176.1

MozillaFirefox-translations-common: before 115.2.0-112.176.1

MozillaFirefox-devel: before 115.2.0-112.176.1

MozillaFirefox-debuginfo: before 115.2.0-112.176.1

MozillaFirefox-debugsource: before 115.2.0-112.176.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20233559-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use-after-free

EUVDB-ID: #VU80091

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4574

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in IPC ColorPickerShownCallback. A remote attacker can trick the victim to open a specially crafted website, trigger memory corruption and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected package MozillaFirefox to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Software Development Kit 12: SP5

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

MozillaFirefox: before 115.2.0-112.176.1

MozillaFirefox-translations-common: before 115.2.0-112.176.1

MozillaFirefox-devel: before 115.2.0-112.176.1

MozillaFirefox-debuginfo: before 115.2.0-112.176.1

MozillaFirefox-debugsource: before 115.2.0-112.176.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20233559-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use-after-free

EUVDB-ID: #VU80092

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4575

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in IPC FilePickerShownCallback. A remote attacker can trick the victim to open a specially crafted website, trigger memory corruption and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected package MozillaFirefox to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Software Development Kit 12: SP5

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

MozillaFirefox: before 115.2.0-112.176.1

MozillaFirefox-translations-common: before 115.2.0-112.176.1

MozillaFirefox-devel: before 115.2.0-112.176.1

MozillaFirefox-debuginfo: before 115.2.0-112.176.1

MozillaFirefox-debugsource: before 115.2.0-112.176.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20233559-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Integer overflow

EUVDB-ID: #VU80093

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4576

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in RecordedSourceSurfaceCreation. A remote attacker can trick the victim to visit a specially crafted website, trigger an integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note, the vulnerability affects Firefox installations on Windows only.

Mitigation

Update the affected package MozillaFirefox to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Software Development Kit 12: SP5

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

MozillaFirefox: before 115.2.0-112.176.1

MozillaFirefox-translations-common: before 115.2.0-112.176.1

MozillaFirefox-devel: before 115.2.0-112.176.1

MozillaFirefox-debuginfo: before 115.2.0-112.176.1

MozillaFirefox-debugsource: before 115.2.0-112.176.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20233559-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Buffer overflow

EUVDB-ID: #VU80097

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4577

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in JIT UpdateRegExpStatics when UpdateRegExpStatics attempted to access initialStringHeap. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package MozillaFirefox to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Software Development Kit 12: SP5

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

MozillaFirefox: before 115.2.0-112.176.1

MozillaFirefox-translations-common: before 115.2.0-112.176.1

MozillaFirefox-devel: before 115.2.0-112.176.1

MozillaFirefox-debuginfo: before 115.2.0-112.176.1

MozillaFirefox-debugsource: before 115.2.0-112.176.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20233559-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Resource exhaustion

EUVDB-ID: #VU80098

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4578

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in JS::CheckRegExpSyntax. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected package MozillaFirefox to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Software Development Kit 12: SP5

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

MozillaFirefox: before 115.2.0-112.176.1

MozillaFirefox-translations-common: before 115.2.0-112.176.1

MozillaFirefox-devel: before 115.2.0-112.176.1

MozillaFirefox-debuginfo: before 115.2.0-112.176.1

MozillaFirefox-debugsource: before 115.2.0-112.176.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20233559-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Cleartext storage of sensitive information

EUVDB-ID: #VU80099

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4580

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to push notifications are saved to disk unencrypted. A local user can gain access to potentially sensitive information.

Mitigation

Update the affected package MozillaFirefox to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Software Development Kit 12: SP5

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

MozillaFirefox: before 115.2.0-112.176.1

MozillaFirefox-translations-common: before 115.2.0-112.176.1

MozillaFirefox-devel: before 115.2.0-112.176.1

MozillaFirefox-debuginfo: before 115.2.0-112.176.1

MozillaFirefox-debugsource: before 115.2.0-112.176.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20233559-1/


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Insufficient UI Warning of Dangerous Operations

EUVDB-ID: #VU80094

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4581

CWE-ID: CWE-357 - Insufficient UI Warning of Dangerous Operations

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a missing warning when downloading Excel .xll add-in files. A remote attacker can trick the victim to visit a specially crafted website and force the browser to download potentially dangerous files without any warning.

Mitigation

Update the affected package MozillaFirefox to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Software Development Kit 12: SP5

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

MozillaFirefox: before 115.2.0-112.176.1

MozillaFirefox-translations-common: before 115.2.0-112.176.1

MozillaFirefox-devel: before 115.2.0-112.176.1

MozillaFirefox-debuginfo: before 115.2.0-112.176.1

MozillaFirefox-debugsource: before 115.2.0-112.176.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20233559-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Buffer overflow

EUVDB-ID: #VU80100

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4582

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in WebGL glGetProgramiv. A remote attacker can trick the victim to open a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.

Note, the vulnerability affects only Firefox installations on macOS.

Mitigation

Update the affected package MozillaFirefox to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Software Development Kit 12: SP5

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

MozillaFirefox: before 115.2.0-112.176.1

MozillaFirefox-translations-common: before 115.2.0-112.176.1

MozillaFirefox-devel: before 115.2.0-112.176.1

MozillaFirefox-debuginfo: before 115.2.0-112.176.1

MozillaFirefox-debugsource: before 115.2.0-112.176.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20233559-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Information disclosure

EUVDB-ID: #VU80101

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4583

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to private session data are not cleared in HttpBaseChannel when closing private window. A remote attacker can obtain information from the not cleared session.

Mitigation

Update the affected package MozillaFirefox to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Software Development Kit 12: SP5

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

MozillaFirefox: before 115.2.0-112.176.1

MozillaFirefox-translations-common: before 115.2.0-112.176.1

MozillaFirefox-devel: before 115.2.0-112.176.1

MozillaFirefox-debuginfo: before 115.2.0-112.176.1

MozillaFirefox-debugsource: before 115.2.0-112.176.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20233559-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Buffer overflow

EUVDB-ID: #VU80095

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4584

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package MozillaFirefox to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Software Development Kit 12: SP5

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

MozillaFirefox: before 115.2.0-112.176.1

MozillaFirefox-translations-common: before 115.2.0-112.176.1

MozillaFirefox-devel: before 115.2.0-112.176.1

MozillaFirefox-debuginfo: before 115.2.0-112.176.1

MozillaFirefox-debugsource: before 115.2.0-112.176.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20233559-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Buffer overflow

EUVDB-ID: #VU80102

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4585

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package MozillaFirefox to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Software Development Kit 12: SP5

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

MozillaFirefox: before 115.2.0-112.176.1

MozillaFirefox-translations-common: before 115.2.0-112.176.1

MozillaFirefox-devel: before 115.2.0-112.176.1

MozillaFirefox-debuginfo: before 115.2.0-112.176.1

MozillaFirefox-debugsource: before 115.2.0-112.176.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20233559-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###