CVE-2022-38475 — Incorrect Authorization in Mozilla Firefox

CWE-863 — Incorrect Authorization6 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 73.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird Debian Firefox

Timeline

PublishedDec 22

Description

An attacker could have written a value to the first element in a zero-length JavaScript array. Although the array was zero-length, the value was not written to an invalid memory address. This vulnerability affects Firefox < 104.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶debiandebian/firefox< firefox 104.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 104

▶NVDmozilla/firefox< 104.0

▶Ubuntumozilla/firefox< 104.0+build3-0ubuntu0.18.04.1+1

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-vwhh-g8g6-6pf7: An attacker could have written a value to the first element in a zero-length JavaScript array↗2022-12-22

▶

OSV

CVE-2022-38475: An attacker could have written a value to the first element in a zero-length JavaScript array↗2022-08-24

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2022-08-24

▶

Debian

CVE-2022-38475: firefox - An attacker could have written a value to the first element in a zero-length Jav...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-33: CVE-2022-38475↗

▶