Polkit Authentication Flaw in Mozilla VPN Client for Linux
CVE-2023-4104

5.5MEDIUM

Key Information:

Vendor
Mozilla
Status
Mozilla Vpn Client For Linux
Vendor
CVE Published:
11 September 2023

Summary

An improper Polkit Authentication check in the Mozilla VPN client for Linux allows local users to create and configure arbitrary VPN setups without the necessary credentials. This oversight compromises the integrity of VPN configurations, potentially enabling unauthorized access to secured networks and sensitive data. The issue is limited to versions prior to 2.16.1 on Linux, while other operating systems remain unaffected.

Affected Version(s)

Mozilla VPN client for Linux < unspecified

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1831318
https://github.com/mozilla-mobile/mozilla-vpn-client/pull...
https://github.com/mozilla-mobile/mozilla-vpn-client/pull...

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matthias Gerstner
.