{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4055", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2023-08-01T15:00:27.480Z", "datePublished": "2023-08-01T15:01:20.220Z", "dateUpdated": "2024-08-02T07:17:11.427Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "116", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "102.14", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "115.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "When the number of cookies per domain was exceeded in `document.cookie`, the actual cookie jar sent to the host was no longer consistent with expected cookie jar state. This could have caused requests to be sent with some cookies missing. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "When the number of cookies per domain was exceeded in <code>document.cookie</code>, the actual cookie jar sent to the host was no longer consistent with expected cookie jar state. This could have caused requests to be sent with some cookies missing. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1."}]}], "problemTypes": [{"descriptions": [{"description": "Cookie jar overflow caused unexpected cookie jar state", "lang": "en", "type": "text"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1782561"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-29/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-31/"}, {"url": "https://www.debian.org/security/2023/dsa-5464"}, {"url": "https://www.debian.org/security/2023/dsa-5469"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00008.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00010.html"}], "credits": [{"lang": "en", "value": "Marco Squarcina"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2023-08-01T15:01:20.220Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:17:11.427Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1782561", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-29/", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-30/", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-31/", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5464", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5469", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00008.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00010.html", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6C6420C-0883-4585-A655-4C470029CB85", "versionEndExcluding": "116.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "D49AC718-4650-4F1B-BD3C-C4780DD68015", "versionEndExcluding": "102.14", "versionStartIncluding": "102.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D71A08C-44F2-41BF-8074-829EAEE37EEC", "versionEndExcluding": "115.1", "versionStartIncluding": "115.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When the number of cookies per domain was exceeded in `document.cookie`, the actual cookie jar sent to the host was no longer consistent with expected cookie jar state. This could have caused requests to be sent with some cookies missing. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1."}, {"lang": "es", "value": "Cuando se superaba el n\u00famero de cookies por dominio en `document.cookie`, el tarro de cookies real enviado al host ya no era coherente con el estado de tarro de cookies esperado. Esto pod\u00eda provocar que se enviasen peticiones en las que faltasen algunas cookies. Esta vulnerabilidad afecta a las versiones anteriores a Firefox 116, Firefox ESR 102.14, y Firefox ESR 115.1."}], "id": "CVE-2023-4055", "lastModified": "2023-08-09T21:15:11.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-01T16:15:09.967", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1782561"}, {"source": "security@mozilla.org", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00008.html"}, {"source": "security@mozilla.org", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00010.html"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5464"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5469"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2023-29/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2023-30/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2023-31/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Marco Squarcina as the original reporter.", "affected_release": [{"advisory": "RHSA-2023:4461", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "firefox-0:102.14.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2023-08-03T00:00:00Z"}, {"advisory": "RHSA-2023:4495", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:102.14.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2023-08-07T00:00:00Z"}, {"advisory": "RHSA-2023:4468", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:102.14.0-1.el8_8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-08-03T00:00:00Z"}, {"advisory": "RHSA-2023:4497", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:102.14.0-1.el8_8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-08-07T00:00:00Z"}, {"advisory": "RHSA-2023:4464", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "firefox-0:102.14.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2023-08-03T00:00:00Z"}, {"advisory": "RHSA-2023:4492", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "thunderbird-0:102.14.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2023-08-07T00:00:00Z"}, {"advisory": "RHSA-2023:4460", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "firefox-0:102.14.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2023-08-03T00:00:00Z"}, {"advisory": "RHSA-2023:4496", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "thunderbird-0:102.14.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2023-08-07T00:00:00Z"}, {"advisory": "RHSA-2023:4460", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "firefox-0:102.14.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-08-03T00:00:00Z"}, {"advisory": "RHSA-2023:4496", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "thunderbird-0:102.14.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-08-07T00:00:00Z"}, {"advisory": "RHSA-2023:4460", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "firefox-0:102.14.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-08-03T00:00:00Z"}, {"advisory": "RHSA-2023:4496", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "thunderbird-0:102.14.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-08-07T00:00:00Z"}, {"advisory": "RHSA-2023:4469", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "firefox-0:102.14.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2023-08-03T00:00:00Z"}, {"advisory": "RHSA-2023:4500", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "thunderbird-0:102.14.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2023-08-07T00:00:00Z"}, {"advisory": "RHSA-2023:4469", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "firefox-0:102.14.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2023-08-03T00:00:00Z"}, {"advisory": "RHSA-2023:4500", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "thunderbird-0:102.14.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2023-08-07T00:00:00Z"}, {"advisory": "RHSA-2023:4469", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "firefox-0:102.14.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2023-08-03T00:00:00Z"}, {"advisory": "RHSA-2023:4500", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "thunderbird-0:102.14.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2023-08-07T00:00:00Z"}, {"advisory": "RHSA-2023:4463", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "firefox-0:102.14.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-08-03T00:00:00Z"}, {"advisory": "RHSA-2023:4493", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "thunderbird-0:102.14.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-08-07T00:00:00Z"}, {"advisory": "RHSA-2023:4462", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:102.14.0-1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-08-03T00:00:00Z"}, {"advisory": "RHSA-2023:4499", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:102.14.0-1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-08-07T00:00:00Z"}, {"advisory": "RHSA-2023:4465", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "firefox-0:102.14.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-08-03T00:00:00Z"}, {"advisory": "RHSA-2023:4494", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "thunderbird-0:102.14.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-08-07T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Cookie jar overflow caused unexpected cookie jar state", "id": "2228367", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2228367"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-784", "details": ["When the number of cookies per domain was exceeded in `document.cookie`, the actual cookie jar sent to the host was no longer consistent with expected cookie jar state. This could have caused requests to be sent with some cookies missing. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.", "The Mozilla Foundation Security Advisory describes this flaw as:\nWhen the number of cookies per domain was exceeded in `document.cookie`, the actual cookie jar sent to the host was no longer consistent with expected cookie jar state. This could have caused requests to be sent with some cookies missing."], "name": "CVE-2023-4055", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2023-08-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-4055\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4055\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4055\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4055\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4055\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4055"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low", "upstream_fix": "thunderbird 102.14, thunderbird 115.1, firefox 102.14, firefox 115.1"}