Bug 2250901 (CVE-2023-6209) - CVE-2023-6209 Mozilla: Incorrect parsing of relative URLs starting with "///"
Summary: CVE-2023-6209 Mozilla: Incorrect parsing of relative URLs starting with "///"
Keywords:
Status: NEW
Alias: CVE-2023-6209
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2249647
TreeView+ depends on / blocked
 
Reported: 2023-11-21 17:42 UTC by Mauro Matteo Cascella
Modified: 2023-11-29 13:55 UTC (History)
0 users

Fixed In Version: firefox 115.5, thunderbird 115.5
Doc Type: ---
Doc Text:
The Mozilla Foundation Security Advisory describes this flaw as: Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7499 0 None None None 2023-11-27 15:44:30 UTC
Red Hat Product Errata RHSA-2023:7500 0 None None None 2023-11-27 15:46:56 UTC
Red Hat Product Errata RHSA-2023:7501 0 None None None 2023-11-27 15:47:05 UTC
Red Hat Product Errata RHSA-2023:7502 0 None None None 2023-11-27 15:44:54 UTC
Red Hat Product Errata RHSA-2023:7503 0 None None None 2023-11-27 15:57:34 UTC
Red Hat Product Errata RHSA-2023:7504 0 None None None 2023-11-27 15:48:27 UTC
Red Hat Product Errata RHSA-2023:7505 0 None None None 2023-11-27 16:10:21 UTC
Red Hat Product Errata RHSA-2023:7506 0 None None None 2023-11-27 16:03:07 UTC
Red Hat Product Errata RHSA-2023:7507 0 None None None 2023-11-27 16:09:19 UTC
Red Hat Product Errata RHSA-2023:7508 0 None None None 2023-11-27 16:10:15 UTC
Red Hat Product Errata RHSA-2023:7509 0 None None None 2023-11-27 16:18:15 UTC
Red Hat Product Errata RHSA-2023:7510 0 None None None 2023-11-27 16:03:17 UTC
Red Hat Product Errata RHSA-2023:7511 0 None None None 2023-11-27 16:10:08 UTC
Red Hat Product Errata RHSA-2023:7512 0 None None None 2023-11-27 16:25:03 UTC
Red Hat Product Errata RHSA-2023:7547 0 None None None 2023-11-28 15:12:09 UTC
Red Hat Product Errata RHSA-2023:7569 0 None None None 2023-11-29 12:49:27 UTC
Red Hat Product Errata RHSA-2023:7570 0 None None None 2023-11-29 12:49:34 UTC
Red Hat Product Errata RHSA-2023:7573 0 None None None 2023-11-29 13:43:02 UTC
Red Hat Product Errata RHSA-2023:7574 0 None None None 2023-11-29 13:43:13 UTC
Red Hat Product Errata RHSA-2023:7577 0 None None None 2023-11-29 13:55:09 UTC

Description Mauro Matteo Cascella 2023-11-21 17:42:39 UTC 
Relative URLs starting with three slashes were incorrectly parsed, and a
path-traversal "/../" part in the path could be used to override the
specified host. This could contribute to security problems in web sites.

External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6209
Comment 27 errata-xmlrpc 2023-11-27 15:44:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7499 https://access.redhat.com/errata/RHSA-2023:7499
Comment 28 errata-xmlrpc 2023-11-27 15:44:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:7502 https://access.redhat.com/errata/RHSA-2023:7502
Comment 29 errata-xmlrpc 2023-11-27 15:46:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7500 https://access.redhat.com/errata/RHSA-2023:7500
Comment 30 errata-xmlrpc 2023-11-27 15:47:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7501 https://access.redhat.com/errata/RHSA-2023:7501
Comment 31 errata-xmlrpc 2023-11-27 15:48:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7504 https://access.redhat.com/errata/RHSA-2023:7504
Comment 32 errata-xmlrpc 2023-11-27 15:57:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:7503 https://access.redhat.com/errata/RHSA-2023:7503
Comment 33 errata-xmlrpc 2023-11-27 16:03:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7506 https://access.redhat.com/errata/RHSA-2023:7506
Comment 34 errata-xmlrpc 2023-11-27 16:03:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7510 https://access.redhat.com/errata/RHSA-2023:7510
Comment 35 errata-xmlrpc 2023-11-27 16:09:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7507 https://access.redhat.com/errata/RHSA-2023:7507
Comment 36 errata-xmlrpc 2023-11-27 16:10:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7511 https://access.redhat.com/errata/RHSA-2023:7511
Comment 37 errata-xmlrpc 2023-11-27 16:10:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7508 https://access.redhat.com/errata/RHSA-2023:7508
Comment 38 errata-xmlrpc 2023-11-27 16:10:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7505 https://access.redhat.com/errata/RHSA-2023:7505
Comment 39 errata-xmlrpc 2023-11-27 16:18:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7509 https://access.redhat.com/errata/RHSA-2023:7509
Comment 40 errata-xmlrpc 2023-11-27 16:25:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:7512 https://access.redhat.com/errata/RHSA-2023:7512
Comment 41 errata-xmlrpc 2023-11-28 15:12:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:7547 https://access.redhat.com/errata/RHSA-2023:7547
Comment 42 errata-xmlrpc 2023-11-29 12:49:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:7569 https://access.redhat.com/errata/RHSA-2023:7569
Comment 43 errata-xmlrpc 2023-11-29 12:49:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:7570 https://access.redhat.com/errata/RHSA-2023:7570
Comment 44 errata-xmlrpc 2023-11-29 13:43:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:7573 https://access.redhat.com/errata/RHSA-2023:7573
Comment 45 errata-xmlrpc 2023-11-29 13:43:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:7574 https://access.redhat.com/errata/RHSA-2023:7574
Comment 46 errata-xmlrpc 2023-11-29 13:55:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7577 https://access.redhat.com/errata/RHSA-2023:7577
Note You need to log in before you can comment on or make changes to this bug.