Vulnerabilities > CVE-2023-4104 - Missing Authorization vulnerability in Mozilla VPN 2.16.0
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN setups. *This bug only affects Mozilla VPN on Linux. Other operating systems are unaffected.* This vulnerability affects Mozilla VPN client for Linux < v2.16.1.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
References
- https://github.com/mozilla-mobile/mozilla-vpn-client/pull/7055
- https://github.com/mozilla-mobile/mozilla-vpn-client/pull/7110
- https://bugzilla.mozilla.org/show_bug.cgi?id=1831318
- https://github.com/mozilla-mobile/mozilla-vpn-client/pull/7151
- https://www.mozilla.org/security/advisories/mfsa2023-39/
- https://www.openwall.com/lists/oss-security/2023/08/03/1