An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN setups.
This bug only affects Mozilla VPN on Linux. Other operating systems are unaffected. This vulnerability affects Mozilla VPN client for Linux < v2.16.1.
bugzilla.mozilla.org/show_bug.cgi?id=1831318
github.com/mozilla-mobile/mozilla-vpn-client/pull/7055
github.com/mozilla-mobile/mozilla-vpn-client/pull/7110
github.com/mozilla-mobile/mozilla-vpn-client/pull/7151
www.mozilla.org/security/advisories/mfsa2023-39/
www.openwall.com/lists/oss-security/2023/08/03/1