gsd-2022-22754
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-22754",
"description": "If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox \u003c 97, Thunderbird \u003c 91.6, and Firefox ESR \u003c 91.6.",
"id": "GSD-2022-22754"
},
"gsd": {
"affected": [
{
"package": {
"ecosystem": "Mozilla",
"name": "Thunderbird"
},
"ranges": [
{
"events": [
{
"fixed": "91.6"
},
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"version": []
},
{
"package": {
"ecosystem": "Mozilla",
"name": "Firefox ESR"
},
"ranges": [
{
"events": [
{
"fixed": "91.6"
},
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"version": []
},
{
"package": {
"ecosystem": "Mozilla",
"name": "Firefox"
},
"ranges": [
{
"events": [
{
"fixed": "97"
},
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"version": []
}
],
"alias": [
"CVE-2022-22754"
],
"database_specific": {
"GSD": {
"alias": "CVE-2022-22754",
"id": "GSD-2022-22754",
"references": [
"https://www.suse.com/security/cve/CVE-2022-22754.html",
"https://www.debian.org/security/2022/dsa-5074",
"https://www.debian.org/security/2022/dsa-5069",
"https://access.redhat.com/errata/RHSA-2022:0539",
"https://access.redhat.com/errata/RHSA-2022:0538",
"https://access.redhat.com/errata/RHSA-2022:0537",
"https://access.redhat.com/errata/RHSA-2022:0536",
"https://access.redhat.com/errata/RHSA-2022:0535",
"https://access.redhat.com/errata/RHSA-2022:0514",
"https://access.redhat.com/errata/RHSA-2022:0513",
"https://access.redhat.com/errata/RHSA-2022:0512",
"https://access.redhat.com/errata/RHSA-2022:0511",
"https://access.redhat.com/errata/RHSA-2022:0510",
"https://ubuntu.com/security/CVE-2022-22754",
"https://advisories.mageia.org/CVE-2022-22754.html",
"https://linux.oracle.com/cve/CVE-2022-22754.html"
]
}
},
"details": "If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Thunderbird \u003c 91.6, Firefox ESR \u003c 91.6, and Firefox \u003c 97.",
"id": "GSD-2022-22754",
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"modified": "2022-09-27T16:35:17.552953Z",
"osvSchema": {
"aliases": [
"CVE-2022-22754"
],
"details": "If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox \u003c 97, Thunderbird \u003c 91.6, and Firefox ESR \u003c 91.6.",
"id": "GSD-2022-22754",
"modified": "2023-12-13T01:19:28.796673Z",
"schema_version": "1.4.0"
},
"references": [
{
"type": "ADVISORY",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-04/"
},
{
"type": "ADVISORY",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-06/"
},
{
"type": "ADVISORY",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-05/"
},
{
"type": "ADVISORY",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1750565"
},
{
"type": "ADVISORY",
"url": "https://www.suse.com/security/cve/CVE-2022-22754.html"
},
{
"type": "ADVISORY",
"url": "https://www.debian.org/security/2022/dsa-5074"
},
{
"type": "ADVISORY",
"url": "https://www.debian.org/security/2022/dsa-5069"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0539"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0538"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0537"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0536"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0535"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0514"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0513"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0512"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0511"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0510"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/CVE-2022-22754"
},
{
"type": "ADVISORY",
"url": "https://advisories.mageia.org/CVE-2022-22754.html"
},
{
"type": "ADVISORY",
"url": "https://linux.oracle.com/cve/CVE-2022-22754.html"
}
],
"schema_version": "1.3.0",
"summary": "If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Thunderbird \u003c 91.6, Firefox ESR \u003c 91.6, and Firefox \u003c 97."
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2022-22754",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Firefox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "97"
}
]
}
},
{
"product_name": "Thunderbird",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "91.6"
}
]
}
},
{
"product_name": "Firefox ESR",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "91.6"
}
]
}
}
]
},
"vendor_name": "Mozilla"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox \u003c 97, Thunderbird \u003c 91.6, and Firefox ESR \u003c 91.6."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Extensions could have bypassed permission confirmation during update"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mozilla.org/security/advisories/mfsa2022-05/",
"refsource": "MISC",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-05/"
},
{
"name": "https://www.mozilla.org/security/advisories/mfsa2022-04/",
"refsource": "MISC",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-04/"
},
{
"name": "https://www.mozilla.org/security/advisories/mfsa2022-06/",
"refsource": "MISC",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-06/"
},
{
"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1750565",
"refsource": "MISC",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1750565"
}
]
}
},
"mozilla.org": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2022-22754"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Thunderbird",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "91.6"
}
]
}
},
{
"product_name": "Firefox ESR",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "91.6"
}
]
}
},
{
"product_name": "Firefox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "97"
}
]
}
}
]
},
"vendor_name": "Mozilla"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Thunderbird \u003c 91.6, Firefox ESR \u003c 91.6, and Firefox \u003c 97."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Extensions could have bypassed permission confirmation during update"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://www.mozilla.org/security/advisories/mfsa2022-04/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2022-06/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2022-05/"
},
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1750565"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "97.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "91.6",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "91.6",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2022-22754"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox \u003c 97, Thunderbird \u003c 91.6, and Firefox ESR \u003c 91.6."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mozilla.org/security/advisories/mfsa2022-06/",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2022-06/"
},
{
"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1750565",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1750565"
},
{
"name": "https://www.mozilla.org/security/advisories/mfsa2022-05/",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2022-05/"
},
{
"name": "https://www.mozilla.org/security/advisories/mfsa2022-04/",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2022-04/"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2022-12-29T23:06Z",
"publishedDate": "2022-12-22T20:15Z"
}
}
}
Loading...