Insecure Inherited Permissions in Mozilla Firefox and Firefox ESR - CVE-2023-4052
Published: August 1, 2023 / Updated: August 2, 2023
Vulnerability identifier: #VU78852
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-4052
CWE-ID: CWE-277
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Mozilla
Affected software:
Mozilla Firefox
Firefox ESR
Mozilla Firefox
Firefox ESR
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to Firefox uninstaller follows symbolic links when removing files from directory created by the application updater that is writable by non-privileged users. A local user can create symbolic links to critical files on the system and delete them when uninstalling Firefox.
Note, the vulnerability affects Windows installations only.
How to mitigate CVE-2023-4052
Install updates from vendor's website.