CVE-2023-6209: 
NixOS vulnerability analysis and mitigation

CVE-2023-6209 is a vulnerability discovered in Firefox browsers and Thunderbird email client, disclosed on November 21, 2023. The vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5, where relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host (Mozilla Advisory, NVD).

The vulnerability stems from an inconsistency in URL parsing where Firefox diverged from the specification. When an href starts with three slashes (///), the browser incorrectly treated it as an empty host and allowed path collapsing to erase the first term, which could then affect the actual host determination. This differs from the standard two-slash behavior where the first part is correctly treated as a hostname and path traversal segments cannot affect it (Mozilla Bug).

The vulnerability has been assessed with a CVSS v3.1 Base Score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. This incorrect parsing behavior could contribute to security problems in websites, potentially allowing attackers to manipulate URL paths in ways that could override the intended host (NVD).

The vulnerability has been fixed in Firefox 120, Firefox ESR 115.5.0, and Thunderbird 115.5. Users are advised to upgrade to these versions or later to mitigate the vulnerability. The fix ensures proper parsing of URLs with multiple slashes to prevent path traversal from affecting hostname determination (Mozilla Advisory).