CVE-2023-32210: 
NixOS vulnerability analysis and mitigation

CVE-2023-32210 is a security vulnerability discovered in Firefox versions prior to 113. The vulnerability was disclosed on May 9, 2023, and was reported by Nika Layzell. It affects the document principal object ordering mechanism in Firefox, where documents were incorrectly assuming an ordering of principal objects when ensuring the loading of appropriately privileged principals (Mozilla Advisory).

The vulnerability stems from a logic flaw in Document::MaybeDowngradePrincipal where the system incorrectly assumed the order of principals in the allowList. The order of principals in an expanded principal is determined by their origin's alphabetical ordering, rather than the intended order of execution. This vulnerability received a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (NVD).

Under certain circumstances, this vulnerability could allow a document to be loaded with a higher privileged principal than intended, potentially leading to privilege escalation issues. The impact is rated as moderate, affecting the integrity of the system while not compromising confidentiality or availability (Mozilla Advisory).

The vulnerability was fixed in Firefox version 113.0. Users and administrators are advised to upgrade to Firefox version 113.0 or later to mitigate this security issue. The fix involved removing the sorting from ExpandedPrincipal, as the extension framework should be the only significant user of expanded principals (Mozilla Advisory).