CVE-2022-42931 — Cleartext Storage of Sensitive Info in Mozilla Firefox

CWE-312 — Cleartext Storage of Sensitive Info CWE-922 — Insecure Storage of Sensitive Information9 documents6 sources

Severity

3.3LOWNVD

OSV8.1

EPSS

0.0%

top 89.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird Debian Firefox

Timeline

PublishedDec 22

Description

Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk. Instead, the username (not password) was saved by the Form Manager to an unencrypted file on disk. This vulnerability affects Firefox < 106.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages6 packages

▶debiandebian/firefox< firefox 106.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 106

▶NVDmozilla/firefox< 106.0

▶Ubuntumozilla/firefox< 106.0.2+build1-0ubuntu0.18.04.1+3

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-748v-pxm5-9m8q: Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk↗2022-12-22

▶

OSV

firefox vulnerabilities↗2022-11-10

▶

OSV

firefox vulnerabilities↗2022-11-01

▶

OSV

CVE-2022-42931: Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk↗2022-10-27

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2022-11-10

▶

Ubuntu

Firefox vulnerabilities↗2022-11-01

▶

Debian

CVE-2022-42931: firefox - Logins saved by Firefox should be managed by the Password Manager component whic...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-44: CVE-2022-42931↗

▶