CVE-2022-22754Incorrect Authorization in Mozilla Firefox

CWE-863Incorrect AuthorizationCWE-1021UI Misrepresentation / Clickjacking13 documents8 sources
Severity
6.5MEDIUMNVD
OSV8.8
EPSS
0.0%
top 91.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedDec 22

Description

If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages9 packages

CVEListV5mozilla/firefoxunspecified97
NVDmozilla/firefox< 97.0
CVEListV5mozilla/firefox_esrunspecified91.6
Ubuntumozilla/firefox< 97.0+build2-0ubuntu0.18.04.1+1

🔴Vulnerability Details

5
CVEList
CVE-2022-22754: If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants2022-12-22
GHSA
GHSA-mhvm-x9qg-34cw: If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants2022-12-22
OSV
CVE-2022-22754: If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants2022-12-22
OSV
thunderbird vulnerabilities2022-03-23
OSV
firefox vulnerabilities2022-02-14

📋Vendor Advisories

7
Ubuntu
Thunderbird vulnerabilities2022-03-23
Ubuntu
Firefox vulnerabilities2022-02-14
Red Hat
Mozilla: Extensions could have bypassed permission confirmation during update2022-02-08
Debian
CVE-2022-22754: firefox - If a user installed an extension of a particular type, the extension could have ...2022
Mozilla
Mozilla Foundation Security Advisory 2022-05: CVE-2022-22754
CVE-2022-22754 — Incorrect Authorization in Mozilla | cvebase