CVE-2022-22753 — Time-of-check Time-of-use (TOCTOU) Race Condition in Mozilla Firefox

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition8 documents6 sources

Severity

7.1HIGHNVD

EPSS

0.4%

top 38.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedDec 22

Description

A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant Users write access to an arbitrary directory. This could have been used to escalate to SYSTEM access.*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages6 packages

▶CVEListV5mozilla/firefoxunspecified — 97

▶NVDmozilla/firefox< 97.0

▶CVEListV5mozilla/firefox_esrunspecified — 91.6

▶NVDmozilla/firefox_esr< 91.6

▶CVEListV5mozilla/thunderbirdunspecified — 91.6

🔴Vulnerability Details

GHSA

GHSA-pr6h-wqwg-8wxx: A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant Users write access to an arbitrary director↗2022-12-22

▶

CVEList

CVE-2022-22753: A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant Users write access to an arbitrary director↗2022-12-22

▶

📋Vendor Advisories

Red Hat

Mozilla: Privilege Escalation to SYSTEM on Windows via Maintenance Service↗2022-02-08

▶

Debian

CVE-2022-22753: firefox - A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service tha...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-05: CVE-2022-22753↗

▶

Mozilla

Mozilla Foundation Security Advisory 2022-06: CVE-2022-22753↗

▶

Mozilla

Mozilla Foundation Security Advisory 2022-04: CVE-2022-22753↗

▶