CVE-2023-6209: Path Traversal
First published: Tue Nov 21 2023(Updated: )
Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/firefox | <115.5 | 115.5 |
| redhat/thunderbird | <115.5 | 115.5 |
| ubuntu/firefox | <120.0+ | 120.0+ |
| ubuntu/thunderbird | <1:115.5.0+ | 1:115.5.0+ |
| ubuntu/thunderbird | <1:115.5.0+ | 1:115.5.0+ |
| ubuntu/thunderbird | <1:115.5.0+ | 1:115.5.0+ |
| ubuntu/thunderbird | <1:115.5.0+ | 1:115.5.0+ |
| Mozilla Thunderbird | <115.5 | 115.5 |
| Mozilla Firefox ESR | <115.5 | 115.5 |
| Mozilla Firefox | <120 | 120 |
| Mozilla Firefox | <120.0 | |
| Mozilla Firefox ESR | <115.5.0 | |
| Mozilla Thunderbird | <115.5 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Debian Debian Linux | =12.0 | |
| debian/firefox | 123.0-1 | |
| debian/firefox-esr | <=91.12.0esr-1~deb10u1 | 115.8.0esr-1~deb10u1 115.7.0esr-1~deb11u1 115.8.0esr-1~deb11u1 115.7.0esr-1~deb12u1 115.8.0esr-1~deb12u1 115.8.0esr-1 |
| debian/thunderbird | <=1:91.12.0-1~deb10u1 | 1:115.8.0-1~deb10u1 1:115.7.0-1~deb11u1 1:115.8.0-1~deb11u1 1:115.7.0-1~deb12u1 1:115.8.0-1~deb12u1 1:115.7.0-1 1:115.8.1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1858570
- https://www.mozilla.org/security/advisories/mfsa2023-49/
- https://www.mozilla.org/security/advisories/mfsa2023-50/
- https://www.mozilla.org/security/advisories/mfsa2023-52/
- https://www.debian.org/security/2023/dsa-5561
- https://lists.debian.org/debian-lts-announce/2023/11/msg00017.html
- https://lists.debian.org/debian-lts-announce/2023/11/msg00030.html
- https://launchpad.net/bugs/cve/CVE-2023-6209
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6209
- https://access.redhat.com/errata/RHSA-2023:7499
- https://access.redhat.com/errata/RHSA-2023:7502
- https://access.redhat.com/errata/RHSA-2023:7500
- https://access.redhat.com/errata/RHSA-2023:7501
- https://access.redhat.com/errata/RHSA-2023:7504
- https://access.redhat.com/errata/RHSA-2023:7503
- https://access.redhat.com/errata/RHSA-2023:7506
- https://access.redhat.com/errata/RHSA-2023:7510
- https://access.redhat.com/errata/RHSA-2023:7507
- https://access.redhat.com/errata/RHSA-2023:7511
- https://access.redhat.com/errata/RHSA-2023:7508
- https://access.redhat.com/errata/RHSA-2023:7505
- https://access.redhat.com/errata/RHSA-2023:7509
- https://access.redhat.com/errata/RHSA-2023:7512
- https://access.redhat.com/errata/RHSA-2023:7547
- https://access.redhat.com/errata/RHSA-2023:7569
- https://access.redhat.com/errata/RHSA-2023:7570
- https://access.redhat.com/errata/RHSA-2023:7573
- https://access.redhat.com/errata/RHSA-2023:7574
- https://access.redhat.com/errata/RHSA-2023:7577
- https://bugzilla.redhat.com/show_bug.cgi?id=2250901
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6209
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6209
- https://security-tracker.debian.org/tracker/CVE-2023-6209
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6209
- https://ubuntu.com/security/notices/USN-6509-1
- https://ubuntu.com/security/notices/USN-6515-1
- https://nvd.nist.gov/vuln/detail/CVE-2023-6209
- https://ubuntu.com/security/CVE-2023-6209
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is CVE-2023-6209?
CVE-2023-6209 is a vulnerability that affects Firefox versions less than 120, Firefox versions less than 115.5, and Thunderbird versions less than 115.5.0. It allows for path traversal in the URL path, which can override the specified host and potentially lead to security issues.
How does CVE-2023-6209 affect web sites?
CVE-2023-6209 can contribute to security problems in web sites as it allows for the override of specified hosts through path traversal in the URL path.
What is the severity of CVE-2023-6209?
CVE-2023-6209 has a severity level of medium with a severity value of 4 on a scale of 1-5.
Which software versions are affected by CVE-2023-6209?
Firefox versions less than 120, Firefox versions less than 115.5, and Thunderbird versions less than 115.5.0 are affected by CVE-2023-6209.
How can I remediate CVE-2023-6209?
To remediate CVE-2023-6209, ensure that you update Firefox to version 120 or above, Firefox to version 115.5 or above, and Thunderbird to version 115.5.0 or above.
- collector/mitre-cve
- agent/type
- agent/author
- agent/last-modified-date
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-6209
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/severity
- agent/description
- collector/usn-cve
- source/Ubuntu
- collector/mozilla-advisory
- source/Mozilla
- agent/tags
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/ubuntu
- vendor/mozilla
- canonical/mozilla thunderbird
- package-manager/debian
- canonical/mozilla firefox esr
- canonical/mozilla firefox
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- version/debian debian linux/12.0