CVE-2022-22736 — Uncontrolled Search Path Element in Mozilla Firefox

CWE-427 — Uncontrolled Search Path Element4 documents4 sources

Severity

7.0HIGHNVD

EPSS

0.1%

top 70.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedDec 22

Description

If Firefox was installed to a world-writable directory, a local privilege escalation could occur when Firefox searched the current directory for system libraries. However the install directory is not world-writable by default.*This bug only affects Firefox for Windows in a non-default installation. Other operating systems are unaffected.*. This vulnerability affects Firefox < 96.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5mozilla/firefoxunspecified — 96

▶NVDmozilla/firefox< 96.0

▶debiandebian/firefox

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-4qmj-r3wp-mpm8: If Firefox was installed to a world-writable directory, a local privilege escalation could occur when Firefox searched the current directory for syste↗2022-12-22

▶

📋Vendor Advisories

Debian

CVE-2022-22736: firefox - If Firefox was installed to a world-writable directory, a local privilege escala...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-01: CVE-2022-22736↗

▶