CVE-2022-26386 — Insecure Temporary File in Mozilla Firefox ESR
CWE-377 — Insecure Temporary FileCWE-281 — Improper Preservation of Permissions10 documents8 sources
Severity
6.5MEDIUMNVD
OSV8.8
EPSS
0.1%
top 71.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 22
Description
Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in /tmp, but this behavior was changed to download them to /tmp where they could be affected by other local users. This behavior was reverted to the original, user-specific directory. *This bug only affects Firefox for macOS and Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.7 and Thunderbird < 91.7.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6
Affected Packages6 packages
🔴Vulnerability Details
4CVEList▶
CVE-2022-26386: Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in /tmp, but this behavior was changed to download↗2022-12-22
OSV▶
CVE-2022-26386: Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in /tmp, but this behavior was changed to download↗2022-12-22
GHSA▶
GHSA-8xcq-8jhf-w82h: Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in /tmp, but this behavior was changed to download↗2022-12-22
📋Vendor Advisories
5Debian▶
CVE-2022-26386: firefox-esr - Previously Firefox for macOS and Linux would download temporary files to a user-...↗2022