CVE-2022-22747 — Improper Certificate Validation in Mozilla Firefox

CWE-295 — Improper Certificate Validation CWE-476 — NULL Pointer Dereference17 documents8 sources

Severity

6.5MEDIUMNVD

OSV8.8

EPSS

0.1%

top 67.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird +1 more

Timeline

PublishedDec 22

Latest updateFeb 15

Description

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages10 packages

▶CVEListV5mozilla/firefoxunspecified — 96

▶NVDmozilla/firefox< 96.0

▶CVEListV5mozilla/firefox_esrunspecified — 91.5

▶NVDmozilla/firefox_esr< 91.5

▶CVEListV5mozilla/thunderbirdunspecified — 91.5

🔴Vulnerability Details

OSV

nss vulnerabilities↗2023-02-15

▶

CVEList

CVE-2022-22747: After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash↗2022-12-22

▶

OSV

CVE-2022-22747: After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash↗2022-12-22

▶

GHSA

GHSA-7h6j-6653-fx8c: After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash↗2022-12-22

▶

OSV

nss vulnerabilities↗2022-07-07

▶

📋Vendor Advisories

Ubuntu

NSS vulnerabilities↗2023-02-15

▶

Ubuntu

NSS vulnerabilities↗2022-07-07

▶

Ubuntu

Thunderbird vulnerabilities↗2022-01-21

▶

Ubuntu

Thunderbird vulnerabilities↗2022-01-21

▶

Ubuntu

Firefox vulnerabilities↗2022-01-13

▶