QID 356892

Date Published: 2024-01-16

QID 356892: Amazon Linux Security Advisory for firefox : ALAS2FIREFOX-2023-017

a potential use-after-free vulnerability existed in svg images if the refresh driver was destroyed at an inopportune time.
this could have lead to memory corruption or a potentially exploitable crash. *note*: this advisory was added on december 13th, 2022 after discovering it was inadvertently left out of the original advisory.
The fix was included in the original release of firefox 106.
This vulnerability affects firefox < 106. (
( CVE-2022-46884) when firefox is configured to block storage of all cookies, it was still possible to store data in localstorage by using an iframe with a source of about:blank.
This could have led to malicious websites storing tracking data without permission.
This vulnerability affects firefox < 115. (
( CVE-2023-3482) insufficient validation in the drag and drop api in conjunction with social engineering, may have allowed an attacker to trick end-users into creating a shortcut to local system files.
this could have been leveraged to execute arbitrary code.
( CVE-2023-37203) a website could have obscured the fullscreen notification by using an option element by introducing lag via an expensive computational function.
This could have led to user confusion and possible spoofing attacks.
( CVE-2023-37204) the use of rtl arabic characters in the address bar may have allowed for url spoofing.
( CVE-2023-37205) uploading files which contain symlinks may have allowed an attacker to trick a user into submitting sensitive data to a malicious website.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.

CVSS V3 rated as Critical - 9.8 severity.

CVSS V2 rated as Medium - 5.4 severity.

Solution

Please refer to Amazon advisory: ALAS2FIREFOX-2023-017 for affected packages and patching details, or update with your package manager.

Vendor References

ALAS2FIREFOX-2023-017 - alas.aws.amazon.com/AL2/ALASFIREFOX-2023-017.html

CVEs related to QID 356892

CVE-2023-37203 | CVE-2023-5168 | CVE-2023-37209 | CVE-2022-46884 | CVE-2023-5176 | CVE-2023-37206 | CVE-2023-5724 | CVE-2023-43669 | CVE-2023-37212 | CVE-2023-5721 | CVE-2023-5169 | CVE-2023-3482 | CVE-2023-37204 | CVE-2023-5732 | CVE-2023-5725 | CVE-2023-5171 | CVE-2023-37205 | CVE-2023-5730 | CVE-2023-5728 | CVE-2023-37210 |

Software Advisories

Advisory ID	Software	Component	Link
ALAS2FIREFOX-2023-017	amazon linux 2		alas.aws.amazon.com/AL2/ALASFIREFOX-2023-017.html

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].