Vulnerability CVE-2023-34414: Information

Description

The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.

Severity: LOW (3.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-34414
Published: June 19, 2023
Modified: Jan. 7, 2024
Error type identifier: CWE-295

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
firefoxsisyphus114.0.1-alt1126.0.1-alt1ALT-PU-2023-1974-1322807Fixed
firefoxsisyphus_riscv64114.0.1-alt0.1.rv64126.0-alt0.portALT-PU-2023-4002-1-Fixed
firefoxp10118.0.2-alt0.p10.1118.0.2-alt0.p10.1ALT-PU-2024-4241-4342418Fixed
firefoxp11114.0.1-alt1126.0.1-alt1ALT-PU-2023-1974-1322807Fixed
firefox-esrsisyphus102.12.0-alt1115.11.0-alt1ALT-PU-2023-1956-1322571Fixed
firefox-esrp10102.12.0-alt1115.11.0-alt1ALT-PU-2023-2036-1322595Fixed
firefox-esrc10f1102.12.0-alt2115.9.1-alt0.c10.1ALT-PU-2023-5239-2328286Fixed
firefox-esrc9f2102.12.0-alt0.c9.1102.12.0-alt0.c9.1ALT-PU-2023-4367-3324724Fixed
firefox-esrp11102.12.0-alt1115.11.0-alt1ALT-PU-2023-1956-1322571Fixed
thunderbirdsisyphus102.12.0-alt1115.9.0-alt1ALT-PU-2023-1993-1322997Fixed
thunderbirdp10115.8.1-alt1115.9.0-alt1ALT-PU-2024-3860-2342581Fixed
thunderbirdc10f1115.8.1-alt0.c10.1115.9.0-alt0.c10.1ALT-PU-2024-4748-2343092Fixed
thunderbirdp11102.12.0-alt1115.9.0-alt1ALT-PU-2023-1993-1322997Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://www.mozilla.org/security/advisories/mfsa2023-21/
  • Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-20/
  • Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-19/
  • Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1695986
  • Permissions Required
https://security.gentoo.org/glsa/202312-03
    https://security.gentoo.org/glsa/202401-10

        1. Configuration 1

          cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
          End excliding
          114.0
          cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
          End excliding
          102.12
          cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
          End excliding
          102.12
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.5.3
      Back to top