CVE-2022-45419
published 2022-12-22CVE-2022-45419: If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then…
PriorityP428medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
EPSS
0.37%
28.9th percentile
If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then deleted the exception, Firefox would have kept the connection alive, making it seem like the certificate was still trusted. This vulnerability affects Firefox < 107.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 107.0-1 (sid) | firefox 107.0-1 (sid) |
| mozilla | firefox | < 107.0 | 107.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 107.0+build2-0ubuntu0.18.04.1 | 107.0+build2-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 107.0+build2-0ubuntu0.20.04.1 | 107.0+build2-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 107 | 107 |
| msrc | azl3_mozjs_102.15.1-1_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
osv8.1HIGH
vendor_ubuntu8.1HIGH
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then deleted the exception, Firefox would have kep
vendor_msrc·2022-12-13·CVSS 6.5
CVE-2022-45419 [MEDIUM] CWE-295 If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then deleted the exception, Firefox would have kep
If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then deleted the exception, Firefox would have kept the connection alive, making it seem like the certificate was still trusted. This vulnerability affects Firefox Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2022-11-16·CVSS 8.1
CVE-2022-40674 [HIGH] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Several security issues were fixed in Firefox.
Multiple security issues were discovered in Firefox. If a user were tricked
into opening a specially crafted website, an attacker could potentially
exploit these to cause a denial of service, spoof the contents of the
addressbar, bypass security restrictions, cross-site tracing or execute
arbitrary code. (CVE-2022-45403, CVE-2022-45404, CVE-2022-45405,
CVE-2022-45406, CVE-2022-45407, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410,
CVE-2022-45411, CVE-2022-45413, CVE-2022-40674, CVE-2022-45418, CVE-2022-45419,
CVE-2022-45420, CVE-2022-45421)
Armin Ebert discovered that Firefox did not properly manage while resolving
file symlink. If a user were tricked into opening a specially crafted weblink,
an attac
Debian
CVE-2022-45419: firefox - If the user added a security exception for an invalid TLS certificate, opened an...
vendor_debian·2022·CVSS 6.5
CVE-2022-45419 [MEDIUM] CVE-2022-45419: firefox - If the user added a security exception for an invalid TLS certificate, opened an...
If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then deleted the exception, Firefox would have kept the connection alive, making it seem like the certificate was still trusted. This vulnerability affects Firefox < 107.
Scope: local
sid: resolved (fixed in 107.0-1)
Mozilla
Mozilla Foundation Security Advisory 2022-47: CVE-2022-45419
vendor_mozilla·CVSS 6.5
CVE-2022-45419 [MEDIUM] Mozilla Foundation Security Advisory 2022-47: CVE-2022-45419
Mozilla Foundation Security Advisory 2022-47
CVE: CVE-2022-45419
Product: Firefox
Impact: high
Fixed in: Firefox 107
GHSA
GHSA-qg25-r8rj-7fhp: If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and
ghsa_unreviewed·2022-12-22
CVE-2022-45419 [MEDIUM] CWE-295 GHSA-qg25-r8rj-7fhp: If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and
If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then deleted the exception, Firefox would have kept the connection alive, making it seem like the certificate was still trusted. This vulnerability affects Firefox < 107.
OSV
CVE-2022-45419: If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and
osv·2022-11-16·CVSS 6.5
CVE-2022-45419 [MEDIUM] CVE-2022-45419: If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and
If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then deleted the exception, Firefox would have kept the connection alive, making it seem like the certificate was still trusted. This vulnerability affects Firefox < 107.
OSV
firefox vulnerabilities
osv·2022-11-16·CVSS 8.1
CVE-2022-45403 [HIGH] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were tricked
into opening a specially crafted website, an attacker could potentially
exploit these to cause a denial of service, spoof the contents of the
addressbar, bypass security restrictions, cross-site tracing or execute
arbitrary code. (CVE-2022-45403, CVE-2022-45404, CVE-2022-45405,
CVE-2022-45406, CVE-2022-45407, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410,
CVE-2022-45411, CVE-2022-45413, CVE-2022-40674, CVE-2022-45418, CVE-2022-45419,
CVE-2022-45420, CVE-2022-45421)
Armin Ebert discovered that Firefox did not properly manage while resolving
file symlink. If a user were tricked into opening a specially crafted weblink,
an attacker could potentially exploit these to cause a denial of service
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-12-22
Published