CVE-2022-45419Improper Certificate Validation in Mozilla Firefox

CWE-295Improper Certificate Validation8 documents7 sources
Severity
6.5MEDIUMNVD
OSV8.1
EPSS
0.1%
top 75.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxDebian FirefoxMsrc Azl3 Mozjs 102.15.1-1 ON Azure Linux 3.0
Timeline
PublishedDec 22

Description

If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then deleted the exception, Firefox would have kept the connection alive, making it seem like the certificate was still trusted. This vulnerability affects Firefox < 107.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

debiandebian/firefox< firefox 107.0-1 (sid)
CVEListV5mozilla/firefoxunspecified107
NVDmozilla/firefox< 107.0
Ubuntumozilla/firefox< 107.0+build2-0ubuntu0.18.04.1+1
mozillamozilla/firefox

🔴Vulnerability Details

3
GHSA
GHSA-qg25-r8rj-7fhp: If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and2022-12-22
OSV
CVE-2022-45419: If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and2022-11-16
OSV
firefox vulnerabilities2022-11-16

📋Vendor Advisories

4
Microsoft
If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then deleted the exception, Firefox would have kep2022-12-13
Ubuntu
Firefox vulnerabilities2022-11-16
Debian
CVE-2022-45419: firefox - If the user added a security exception for an invalid TLS certificate, opened an...2022
Mozilla
Mozilla Foundation Security Advisory 2022-47: CVE-2022-45419