Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.5
CVSSv3

CVE-2023-4104

Published: 11/09/2023 Updated: 13/09/2023
CVSS v3 Base Score: 5.5 | Impact Score: 3.6 | Exploitability Score: 1.8
VMScore: 0
Subscribe to Mozilla

Vulnerability Summary

An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN setups. *This bug only affects Mozilla VPN on Linux. Other operating systems are unaffected.* This vulnerability affects Mozilla VPN client for Linux < v2.16.1.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

mozilla vpn

Vendor Advisories

Debian CVElist Bug Report Logs: mozillavpn: CVE-2023-4104
Debian Bug report logs - #1043004 mozillavpn: CVE-2023-4104 Package: src:mozillavpn; Maintainer for src:mozillavpn is Sylvestre Ledru &lt;sylvestre@debianorg&gt;; Reported by: Salvatore Bonaccorso &lt;carnil@debianorg&gt; Date: Fri, 4 Aug 2023 05:27:01 UTC Severity: grave Tags: security, upstream Found in version mozillavpn/ ...
Mozilla: Security Issues in Mozilla VPN for Linux prior to v2.16.1
Mozilla Foundation Security Advisory 2023-39 Security Issues in Mozilla VPN for Linux prior to v2161 Announced August 30, 2023 Impact moderate Products Mozilla VPN client for Linux in Fixed in Mozilla ...

Recent Articles

Alarm raised over Mozilla VPN: Wonky authorization check lets users cause havoc
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources SUSE security engineer goes public on unfixed problem after disclosure drama

A security engineer at Linux distro maker SUSE has published an advisory for a flaw in the Mozilla VPN client for Linux that has yet to be addressed in a publicly released fix because the disclosure process went off the rails. In a post to the Openwall security mailing list, Matthias Gerstner describes a broken authentication check in Mozilla VPN client v2.14.1, released on May 30. Essentially, the client can be exploited by any user on a system to, among other things, configure their own arbitr...

Read more...

References

CWE-862https://github.com/mozilla-mobile/mozilla-vpn-client/pull/7055https://github.com/mozilla-mobile/mozilla-vpn-client/pull/7110https://bugzilla.mozilla.org/show_bug.cgi?id=1831318https://github.com/mozilla-mobile/mozilla-vpn-client/pull/7151https://www.mozilla.org/security/advisories/mfsa2023-39/https://www.openwall.com/lists/oss-security/2023/08/03/1https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043004https://nvd.nist.gov
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-48654CVE-2024-2757authentication bypassCVE-2024-3194CVE-2024-33640CVE-2024-21111dosinsecure direct object referenceCVE-2024-21345
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook