Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/mozilla-mobile/mozilla-vpn-client: CVE-2023-4104 #2057

Closed
GoVulnBot opened this issue Sep 11, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/mozilla-mobile/mozilla-vpn-client: CVE-2023-4104 #2057

GoVulnBot opened this issue Sep 11, 2023 · 1 comment
Assignees
@neild
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2023-4104 references github.com/mozilla-mobile/mozilla-vpn-client, which may be a Go module.

Description:
An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN setups.
This bug only affects Mozilla VPN on Linux. Other operating systems are unaffected. This vulnerability affects Mozilla VPN client for Linux < v2.16.1.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/mozilla-mobile/mozilla-vpn-client
      vulnerable_at: 2.16.1+incompatible
      packages:
        - package: Mozilla VPN client for Linux
description: |-
    An invalid Polkit Authentication check and missing authentication requirements
    for D-Bus methods allowed any local user to configure arbitrary VPN setups.
    *This bug only affects Mozilla VPN on Linux. Other operating systems are
    unaffected.* This vulnerability affects Mozilla VPN client for Linux < v2.16.1.
cves:
    - CVE-2023-4104
references:
    - web: https://bugzilla.mozilla.org/show_bug.cgi?id=1831318
    - fix: https://github.com/mozilla-mobile/mozilla-vpn-client/pull/7055
    - fix: https://github.com/mozilla-mobile/mozilla-vpn-client/pull/7110
    - fix: https://github.com/mozilla-mobile/mozilla-vpn-client/pull/7151
    - advisory: https://www.mozilla.org/security/advisories/mfsa2023-39/
    - web: https://www.openwall.com/lists/oss-security/2023/08/03/1
@neild neild self-assigned this Sep 12, 2023
@neild neild added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Sep 12, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/528596 mentions this issue: data/excluded: batch add 10 excluded reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neild @gopherbot @GoVulnBot