CVE-2023-6863: 
NixOS vulnerability analysis and mitigation

The vulnerability (CVE-2023-6863) affects the ShutdownObserver() functionality in Mozilla Firefox products. The issue was discovered in Firefox ESR < 115.6, Thunderbird < 115.6, and Firefox < 121, where the ShutdownObserver() was susceptible to potentially undefined behavior due to its reliance on a dynamic type that lacked a virtual destructor (Mozilla Advisory).

The vulnerability stems from a C++ implementation issue where the ShutdownObserver() invokes undefined behavior by deleting an object whose static type lacks a virtual destructor, while the object has a derived-class dynamic type. The issue specifically concerns three arrays in widget/GfxDriverInfo.h that handle window protocols, device vendors, and driver vendors (Mozilla Bug).

The vulnerability has been assessed with a CVSS v3.1 base score of 8.8 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates potential high impacts on confidentiality, integrity, and availability of the affected systems (NVD).

The vulnerability has been patched in Firefox ESR 115.6, Thunderbird 115.6, and Firefox 121. Users are advised to upgrade to these versions or later to mitigate the risk. The fix involved changing the declaration to use the concrete derived class instead of the base class (Debian Advisory).