CVE-2022-34471 — Insufficient Verification of Data Authenticity in Mozilla Firefox

CWE-345 — Insufficient Verification of Data Authenticity7 documents6 sources

Severity

6.5MEDIUMNVD

OSV8.8

EPSS

0.2%

top 61.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedDec 22

Description

When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version. This vulnerability affects Firefox < 102.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/firefox< firefox 102.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 102

▶NVDmozilla/firefox< 102.0

▶Ubuntumozilla/firefox< 102.0+build2-0ubuntu0.18.04.1+1

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-4h8f-5jwq-q4wm: When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest↗2022-12-22

▶

OSV

firefox vulnerabilities↗2022-07-05

▶

OSV

CVE-2022-34471: When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest↗2022-07-05

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2022-07-05

▶

Debian

CVE-2022-34471: firefox - When downloading an update for an addon, the downloaded addon update's version w...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-24: CVE-2022-34471↗

▶