CVE-2022-34469 — Improper Certificate Validation in Mozilla Firefox

CWE-295 — Improper Certificate Validation4 documents4 sources

Severity

8.1HIGHNVD

EPSS

0.1%

top 80.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedDec 22

Description

When a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. On Firefox for Android, the user was presented with the option to bypass the error; this could only have been done by the user explicitly. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages4 packages

▶CVEListV5mozilla/firefoxunspecified — 102

▶NVDmozilla/firefox< 102.0

▶debiandebian/firefox

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-454w-5cf7-2xqx: When a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error↗2022-12-22

▶

📋Vendor Advisories

Debian

CVE-2022-34469: firefox - When a TLS Certificate error occurs on a domain protected by the HSTS header, th...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-24: CVE-2022-34469↗

▶