{"api_version":"1","generated_at":"2026-04-22T23:31:55+00:00","cve":"CVE-2023-34414","urls":{"html":"https://cve.report/CVE-2023-34414","api":"https://cve.report/api/cve/CVE-2023-34414.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-34414","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-34414"},"summary":{"title":"CVE-2023-34414","description":"The error page for sites with invalid TLS certificates was missing the\nactivation-delay Firefox uses to protect prompts and permission dialogs\nfrom attacks that exploit human response time delays. If a malicious\npage elicited user clicks in precise locations immediately before\nnavigating to a site with a certificate error and made the renderer\nextremely busy at the same time, it could create a gap between when\nthe error page was loaded and when the display actually refreshed.\nWith the right timing the elicited clicks could land in that gap and \nactivate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2023-06-19 11:15:00","updated_at":"2024-01-07 11:15:00"},"problem_types":["CWE-295"],"metrics":[],"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1695986","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1695986","refsource":"MISC","tags":[],"title":"Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202401-10","name":"https://security.gentoo.org/glsa/202401-10","refsource":"","tags":[],"title":"","mime":"","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202312-03","name":"https://security.gentoo.org/glsa/202312-03","refsource":"","tags":[],"title":"","mime":"","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2023-21/","name":"https://www.mozilla.org/security/advisories/mfsa2023-21/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Thunderbird 102.12 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.mozilla.org/security/advisories/mfsa2023-20/","name":"https://www.mozilla.org/security/advisories/mfsa2023-20/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Firefox 114 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2023-19/","name":"https://www.mozilla.org/security/advisories/mfsa2023-19/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Firefox ESR 102.12 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-34414","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34414","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"34414","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"34414","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"34414","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-34414","qid":"160723","title":"Oracle Enterprise Linux Security Update for thunderbird (ELSA-2023-3563)"},{"cve":"CVE-2023-34414","qid":"160733","title":"Oracle Enterprise Linux Security Update for firefox (ELSA-2023-3579)"},{"cve":"CVE-2023-34414","qid":"160737","title":"Oracle Enterprise Linux Security Update for firefox (ELSA-2023-3590)"},{"cve":"CVE-2023-34414","qid":"160738","title":"Oracle Enterprise Linux Security Update for thunderbird (ELSA-2023-3588)"},{"cve":"CVE-2023-34414","qid":"160742","title":"Oracle Enterprise Linux Security Update for thunderbird (ELSA-2023-3587)"},{"cve":"CVE-2023-34414","qid":"160744","title":"Oracle Enterprise Linux Security Update for firefox (ELSA-2023-3589)"},{"cve":"CVE-2023-34414","qid":"181831","title":"Debian Security Update for firefox-esr (DSA 5421-1)"},{"cve":"CVE-2023-34414","qid":"181833","title":"Debian Security Update for firefox-esr (DLA 3448-1)"},{"cve":"CVE-2023-34414","qid":"181839","title":"Debian Security Update for thunderbird (DSA 5423-1)"},{"cve":"CVE-2023-34414","qid":"181840","title":"Debian Security Update for thunderbird (DLA 3452-1)"},{"cve":"CVE-2023-34414","qid":"199400","title":"Ubuntu Security Notification for Firefox Vulnerabilities (USN-6143-1)"},{"cve":"CVE-2023-34414","qid":"199457","title":"Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-6214-1)"},{"cve":"CVE-2023-34414","qid":"241690","title":"Red Hat Update for thunderbird (RHSA-2023:3563)"},{"cve":"CVE-2023-34414","qid":"241691","title":"Red Hat Update for firefox (RHSA-2023:3560)"},{"cve":"CVE-2023-34414","qid":"241692","title":"Red Hat Update for firefox (RHSA-2023:3561)"},{"cve":"CVE-2023-34414","qid":"241694","title":"Red Hat Update for thunderbird (RHSA-2023:3564)"},{"cve":"CVE-2023-34414","qid":"241695","title":"Red Hat Update for thunderbird (RHSA-2023:3565)"},{"cve":"CVE-2023-34414","qid":"241697","title":"Red Hat Update for firefox (RHSA-2023:3562)"},{"cve":"CVE-2023-34414","qid":"241704","title":"Red Hat Update for firefox (RHSA-2023:3597)"},{"cve":"CVE-2023-34414","qid":"241706","title":"Red Hat Update for thunderbird (RHSA-2023:3596)"},{"cve":"CVE-2023-34414","qid":"241709","title":"Red Hat Update for thunderbird (RHSA-2023:3567)"},{"cve":"CVE-2023-34414","qid":"241711","title":"Red Hat Update for thunderbird (RHSA-2023:3566)"},{"cve":"CVE-2023-34414","qid":"241713","title":"Red Hat Update for firefox (RHSA-2023:3579)"},{"cve":"CVE-2023-34414","qid":"241714","title":"Red Hat Update for firefox (RHSA-2023:3578)"},{"cve":"CVE-2023-34414","qid":"241719","title":"Red Hat Update for thunderbird (RHSA-2023:3587)"},{"cve":"CVE-2023-34414","qid":"241720","title":"Red Hat Update for thunderbird (RHSA-2023:3588)"},{"cve":"CVE-2023-34414","qid":"241723","title":"Red Hat Update for firefox (RHSA-2023:3590)"},{"cve":"CVE-2023-34414","qid":"241725","title":"Red Hat Update for firefox (RHSA-2023:3589)"},{"cve":"CVE-2023-34414","qid":"296101","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 59.138.2 Missing (CPUJUL2023)"},{"cve":"CVE-2023-34414","qid":"356254","title":"Amazon Linux Security Advisory for firefox : ALASFIREFOX-2023-003"},{"cve":"CVE-2023-34414","qid":"378555","title":"Mozilla Firefox ESR Multiple Vulnerabilities (MFSA2023-19)"},{"cve":"CVE-2023-34414","qid":"378556","title":"Mozilla Firefox Multiple Vulnerabilities (MFSA2023-20)"},{"cve":"CVE-2023-34414","qid":"378565","title":"Mozilla Thunderbird Multiple Vulnerabilities (MFSA2023-21)"},{"cve":"CVE-2023-34414","qid":"503448","title":"Alpine Linux Security Update for firefox-esr"},{"cve":"CVE-2023-34414","qid":"506056","title":"Alpine Linux Security Update for firefox-esr"},{"cve":"CVE-2023-34414","qid":"710803","title":"Gentoo Linux Mozilla Thunderbird Multiple Vulnerabilities (GLSA 202312-03)"},{"cve":"CVE-2023-34414","qid":"710830","title":"Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 202401-10)"},{"cve":"CVE-2023-34414","qid":"754073","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2023:2441-1)"},{"cve":"CVE-2023-34414","qid":"754074","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2023:2440-1)"},{"cve":"CVE-2023-34414","qid":"754090","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2023:2489-1)"},{"cve":"CVE-2023-34414","qid":"755841","title":"SUSE Enterprise Linux Security Update for mozillathunderbird (SUSE-SU-2023:2612-1)"},{"cve":"CVE-2023-34414","qid":"941135","title":"AlmaLinux Security Update for firefox (ALSA-2023:3590)"},{"cve":"CVE-2023-34414","qid":"941136","title":"AlmaLinux Security Update for thunderbird (ALSA-2023:3588)"},{"cve":"CVE-2023-34414","qid":"941137","title":"AlmaLinux Security Update for firefox (ALSA-2023:3589)"},{"cve":"CVE-2023-34414","qid":"941138","title":"AlmaLinux Security Update for thunderbird (ALSA-2023:3587)"},{"cve":"CVE-2023-34414","qid":"960951","title":"Rocky Linux Security Update for thunderbird (RLSA-2023:3587)"},{"cve":"CVE-2023-34414","qid":"960952","title":"Rocky Linux Security Update for thunderbird (RLSA-2023:3588)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-34414","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The error page for sites with invalid TLS certificates was missing the\nactivation-delay Firefox uses to protect prompts and permission dialogs\nfrom attacks that exploit human response time delays. If a malicious\npage elicited user clicks in precise locations immediately before\nnavigating to a site with a certificate error and made the renderer\nextremely busy at the same time, it could create a gap between when\nthe error page was loaded and when the display actually refreshed.\nWith the right timing the elicited clicks could land in that gap and \nactivate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Click-jacking certificate exceptions through rendering lag"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Firefox ESR","version":{"version_data":[{"version_affected":"<","version_name":"unspecified","version_value":"102.12"}]}},{"product_name":"Firefox","version":{"version_data":[{"version_affected":"<","version_name":"unspecified","version_value":"114"}]}},{"product_name":"Thunderbird","version":{"version_data":[{"version_affected":"<","version_name":"unspecified","version_value":"102.12"}]}}]}}]}},"references":{"reference_data":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1695986","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1695986"},{"url":"https://www.mozilla.org/security/advisories/mfsa2023-19/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2023-19/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2023-20/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2023-20/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2023-21/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2023-21/"}]},"credits":[{"lang":"en","value":"Irvan Kurniawan"}]},"nvd":{"publishedDate":"2023-06-19 11:15:00","lastModifiedDate":"2024-01-07 11:15:00","problem_types":["CWE-295"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW","baseScore":3.1,"baseSeverity":"LOW"},"exploitabilityScore":1.6,"impactScore":1.4}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"114.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionEndExcluding":"102.12","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"102.12","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}