Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-5173
HistorySep 28, 2023 - 12:00 a.m.

CVE-2023-5173

2023-09-2800:00:00
ubuntu.com
ubuntu.com
14
firefox
integer overflow
network traffic

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

21.1%

In a non-standard configuration of Firefox, an integer overflow could have
occurred based on network traffic (possibly under influence of a local
unprivileged webpage), leading to an out-of-bounds write to privileged
process memory. This bug only affects Firefox if a non-standard preference
allowing non-HTTPS Alternate Services (network.http.altsvc.oe) is
enabled.
This vulnerability affects Firefox < 118.

Notes

Author Note
tyhicks mozjs contains a copy of the SpiderMonkey JavaScript engine
mdeslaur starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

21.1%