CVE-2023-29538:Directory path leak in Firefox WebExtensions through URI handling vulnerability.

splash
Back

Description Preview

CVE-2023-29538 affects Firefox, Firefox for Android, and Focus for Android versions prior to 112. The vulnerability occurs when WebExtensions receive a jar:file:/// URI instead of the expected moz-extension:/// URI during load requests under specific circumstances. This improper URI handling exposes directory paths on the user's machine, potentially revealing sensitive information about the user's file system structure to extensions.

Overview

This vulnerability (CWE-668: Exposure of Resource to Wrong Sphere) occurs in Mozilla Firefox's WebExtension handling mechanism. Under certain conditions, the browser incorrectly provides WebExtensions with jar:file:/// URIs that contain local file system paths instead of properly sandboxed moz-extension:/// URIs. This information disclosure vulnerability could allow extensions to gain knowledge of the user's directory structure, which should normally be restricted. The issue affects Firefox, Firefox for Android, and Focus for Android versions before 112, potentially compromising user privacy by exposing file system information that should remain inaccessible to extensions.

Remediation

Users should update to Firefox version 112 or later, Firefox for Android version 112 or later, or Focus for Android version 112 or later. Mozilla has fixed the vulnerability in these versions by ensuring WebExtensions consistently receive the appropriate moz-extension:/// URIs instead of jar:file:/// URIs. System administrators should ensure that all Firefox installations in their environment are updated to the patched versions to mitigate this vulnerability.

References

  1. Mozilla Foundation Security Advisory (MFSA2023-13): https://www.mozilla.org/security/advisories/mfsa2023-13/
  2. Mozilla Bugzilla Issue Tracking: https://bugzilla.mozilla.org/show_bug.cgi?id=1685403
  3. CWE-668: Exposure of Resource to Wrong Sphere: https://cwe.mitre.org/data/definitions/668.html

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Health Care & Social Assistance
    Health Care & Social Assistance
  2. Manufacturing
    Manufacturing
  3. Public Administration
    Public Administration
  4. Educational Services
    Educational Services
  5. Finance and Insurance
    Finance and Insurance
  6. Transportation & Warehousing
    Transportation & Warehousing
  7. Utilities
    Utilities
  8. Retail Trade
    Retail Trade
  9. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  10. Other Services (except Public Administration)
    Other Services (except Public Administration)
  11. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  12. Information
    Information
  13. Management of Companies & Enterprises
    Management of Companies & Enterprises
  14. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  15. Mining
    Mining
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Construction
    Construction
  18. Accommodation & Food Services
    Accommodation & Food Services
  19. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background