First published: Tue Jul 04 2023(Updated: )
Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Thunderbird | <102.13 | 102.13 |
Mozilla Firefox ESR | <102.13 | 102.13 |
ubuntu/firefox | <115.0-1 | 115.0-1 |
ubuntu/firefox | <115.0+ | 115.0+ |
ubuntu/thunderbird | <1:102.13.0+ | 1:102.13.0+ |
ubuntu/thunderbird | <1:102.13.0+ | 1:102.13.0+ |
ubuntu/thunderbird | <1:102.13.0+ | 1:102.13.0+ |
ubuntu/thunderbird | <1:102.13.0+ | 1:102.13.0+ |
ubuntu/mozjs102 | <102.13.0-0ubuntu0.22.04.1 | 102.13.0-0ubuntu0.22.04.1 |
ubuntu/mozjs102 | <102.13.0-0ubuntu0.22.10.1 | 102.13.0-0ubuntu0.22.10.1 |
ubuntu/mozjs102 | <102.13.0-0ubuntu0.23.04.1 | 102.13.0-0ubuntu0.23.04.1 |
redhat/firefox | <102.13 | 102.13 |
redhat/thunderbird | <102.13 | 102.13 |
Mozilla Firefox | <115 | 115 |
Mozilla Firefox | <115.0 | |
Mozilla Firefox ESR | <102.13 | |
Mozilla Thunderbird | <102.13 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Debian Debian Linux | =12.0 | |
debian/firefox | 123.0-1 | |
debian/firefox-esr | <=91.12.0esr-1~deb10u1 | 115.8.0esr-1~deb10u1 115.7.0esr-1~deb11u1 115.8.0esr-1~deb11u1 115.7.0esr-1~deb12u1 115.8.0esr-1~deb12u1 115.8.0esr-1 |
debian/thunderbird | <=1:91.12.0-1~deb10u1 | 1:115.8.0-1~deb10u1 1:115.7.0-1~deb11u1 1:115.8.0-1~deb11u1 1:115.7.0-1~deb12u1 1:115.8.0-1~deb12u1 1:115.7.0-1 1:115.8.1-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
The vulnerability ID is CVE-2023-37202.
This vulnerability affects Firefox versions less than 115, Firefox ESR versions less than 102.13, and Thunderbird versions less than 102.13.
The severity of CVE-2023-37202 is high, with a severity value of 7.
Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free.
You can find more information about CVE-2023-37202 in the following references: [Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1834711), [Mozilla Security Advisory](https://www.mozilla.org/security/advisories/mfsa2023-22/), [Mozilla Security Advisory](https://www.mozilla.org/security/advisories/mfsa2023-23/).