CVE-2022-46875 — Improper Authentication in Mozilla Firefox

CWE-287 — Improper Authentication CWE-357 — Insufficient UI Warning of Dangerous Operations8 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 65.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedDec 22

Description

The executable file warning was not presented when downloading .atloc and .ftploc files, which can run commands on a user's computer. *Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶CVEListV5mozilla/firefoxunspecified — 108

▶NVDmozilla/firefox< 108.0

▶CVEListV5mozilla/firefox_esrunspecified — 102.6

▶NVDmozilla/firefox_esr< 102.6

▶CVEListV5mozilla/thunderbirdunspecified — 102.6

🔴Vulnerability Details

CVEList

CVE-2022-46875: The executable file warning was not presented when downloading↗2022-12-22

▶

GHSA

GHSA-w54j-3mgp-xm9q: The executable file warning was not presented when downloading↗2022-12-22

▶

📋Vendor Advisories

Red Hat

Mozilla: Download Protections were bypassed by .atloc and .ftploc files on Mac OS↗2022-12-13

▶

Debian

CVE-2022-46875: firefox - The executable file warning was not presented when downloading .atloc and .ftplo...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-52: CVE-2022-46875↗

▶

Mozilla

Mozilla Foundation Security Advisory 2022-53: CVE-2022-46875↗

▶

Mozilla

Mozilla Foundation Security Advisory 2022-51: CVE-2022-46875↗

▶