CVE-2022-45416Observable Discrepancy in Mozilla Firefox

CWE-203Observable Discrepancy13 documents8 sources
Severity
6.5MEDIUMNVD
OSV8.1
EPSS
0.2%
top 59.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedDec 22
Latest updateFeb 6

Description

Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages9 packages

CVEListV5mozilla/firefoxunspecified107
NVDmozilla/firefox< 107.0
CVEListV5mozilla/firefox_esrunspecified102.5
NVDmozilla/firefox_esr< 102.5
Ubuntumozilla/firefox< 107.0+build2-0ubuntu0.18.04.1+1

🔴Vulnerability Details

5
OSV
thunderbird vulnerabilities2023-02-06
GHSA
GHSA-wfp4-223f-x5rm: Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses2022-12-22
CVEList
CVE-2022-45416: Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses2022-12-22
OSV
CVE-2022-45416: Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses2022-12-22
OSV
firefox vulnerabilities2022-11-16

📋Vendor Advisories

7
Ubuntu
Thunderbird vulnerabilities2023-02-06
Ubuntu
Firefox vulnerabilities2022-11-16
Red Hat
Mozilla: Keystroke Side-Channel Leakage2022-11-15
Debian
CVE-2022-45416: firefox - Keyboard events reference strings like "KeyA" that were at fixed, known, and wid...2022
Mozilla
Mozilla Foundation Security Advisory 2022-49: CVE-2022-45416
CVE-2022-45416 — Observable Discrepancy in Mozilla | cvebase