Vulnerability-Lookup

CVE-2022-38478 (GCVE-0-2022-38478)

Vulnerability from cvelistv5 – Published: 2022-12-22 00:00 – Updated: 2025-04-15 17:20

Summary

Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13

Assigner

mozilla

References

URL

GHSA-C5F3-H7XH-CF2F

Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2024-10-21 15:32

Details

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-38478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-22T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird \u003c 102.2, Thunderbird \u003c 91.13, Firefox ESR \u003c 91.13, Firefox ESR \u003c 102.2, and Firefox \u003c 104.",
  "id": "GHSA-c5f3-h7xh-cf2f",
  "modified": "2024-10-21T15:32:26Z",
  "published": "2022-12-22T21:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38478"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1770630%2C1776658"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-33"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-34"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-35"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-36"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-37"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

cve-2022-38478

Vulnerability from osv_almalinux

Published

2022-08-24 00:00

Modified

2022-08-30 19:26

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.13.0. Security Fix(es): * Mozilla: Address bar spoofing via XSLT error handling (CVE-2022-38472) * Mozilla: Cross-origin XSLT Documents would have inherited the parent's permissions (CVE-2022-38473) * Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2 (CVE-2022-38477) * Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13 (CVE-2022-38478) * Mozilla: Data race and potential use-after-free in PK11_ChangePW (CVE-2022-38476) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "91.13.0-1.el8_6.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\nThis update upgrades Thunderbird to version 91.13.0.\nSecurity Fix(es):\n* Mozilla: Address bar spoofing via XSLT error handling (CVE-2022-38472)\n* Mozilla: Cross-origin XSLT Documents would have inherited the parent\u0027s permissions (CVE-2022-38473)\n* Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2 (CVE-2022-38477)\n* Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13 (CVE-2022-38478)\n* Mozilla: Data race and potential use-after-free in PK11_ChangePW (CVE-2022-38476)\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2022:6164",
  "modified": "2022-08-30T19:26:04Z",
  "published": "2022-08-24T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2022:6164"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38472"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38473"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38476"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38477"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38478"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120673"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120674"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120678"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120695"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120696"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2022-6164.html"
    }
  ],
  "related": [
    "CVE-2022-38472",
    "CVE-2022-38473",
    "CVE-2022-38477",
    "CVE-2022-38478",
    "CVE-2022-38476"
  ],
  "summary": "Important: thunderbird security update"
}

cve-2022-38478

Vulnerability from osv_almalinux

Published

2022-08-24 00:00

Modified

2022-08-30 19:08

Summary

Important: firefox security update

Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.13.0 ESR. Security Fix(es): * Mozilla: Address bar spoofing via XSLT error handling (CVE-2022-38472) * Mozilla: Cross-origin XSLT Documents would have inherited the parent's permissions (CVE-2022-38473) * Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2 (CVE-2022-38477) * Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13 (CVE-2022-38478) * Mozilla: Data race and potential use-after-free in PK11_ChangePW (CVE-2022-38476) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "firefox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "91.13.0-1.el8_6.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\nThis update upgrades Firefox to version 91.13.0 ESR.\nSecurity Fix(es):\n* Mozilla: Address bar spoofing via XSLT error handling (CVE-2022-38472)\n* Mozilla: Cross-origin XSLT Documents would have inherited the parent\u0027s permissions (CVE-2022-38473)\n* Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2 (CVE-2022-38477)\n* Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13 (CVE-2022-38478)\n* Mozilla: Data race and potential use-after-free in PK11_ChangePW (CVE-2022-38476)\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2022:6175",
  "modified": "2022-08-30T19:08:42Z",
  "published": "2022-08-24T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2022:6175"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38472"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38473"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38476"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38477"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38478"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120673"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120674"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120678"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120695"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120696"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2022-6175.html"
    }
  ],
  "related": [
    "CVE-2022-38472",
    "CVE-2022-38473",
    "CVE-2022-38477",
    "CVE-2022-38478",
    "CVE-2022-38476"
  ],
  "summary": "Important: firefox security update"
}

cve-2022-38478

Vulnerability from osv_almalinux

Published

2022-08-24 00:00

Modified

2022-08-30 19:29

Summary

Important: thunderbird security update

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "91.13.0-1.el9_0.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\nThis update upgrades Thunderbird to version 91.13.0.\nSecurity Fix(es):\n* Mozilla: Address bar spoofing via XSLT error handling (CVE-2022-38472)\n* Mozilla: Cross-origin XSLT Documents would have inherited the parent\u0027s permissions (CVE-2022-38473)\n* Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2 (CVE-2022-38477)\n* Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13 (CVE-2022-38478)\n* Mozilla: Data race and potential use-after-free in PK11_ChangePW (CVE-2022-38476)\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2022:6165",
  "modified": "2022-08-30T19:29:21Z",
  "published": "2022-08-24T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2022:6165"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38472"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38473"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38476"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38477"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38478"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120673"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120674"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120678"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120695"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120696"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2022-6165.html"
    }
  ],
  "related": [
    "CVE-2022-38472",
    "CVE-2022-38473",
    "CVE-2022-38477",
    "CVE-2022-38478",
    "CVE-2022-38476"
  ],
  "summary": "Important: thunderbird security update"
}

cve-2022-38478

Vulnerability from osv_almalinux

Published

2022-08-24 00:00

Modified

2022-08-30 14:56

Summary

Important: firefox security update

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "firefox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "91.13.0-1.el9_0.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\nThis update upgrades Firefox to version 91.13.0 ESR.\nSecurity Fix(es):\n* Mozilla: Address bar spoofing via XSLT error handling (CVE-2022-38472)\n* Mozilla: Cross-origin XSLT Documents would have inherited the parent\u0027s permissions (CVE-2022-38473)\n* Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2 (CVE-2022-38477)\n* Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13 (CVE-2022-38478)\n* Mozilla: Data race and potential use-after-free in PK11_ChangePW (CVE-2022-38476)\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2022:6174",
  "modified": "2022-08-30T14:56:43Z",
  "published": "2022-08-24T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2022:6174"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38472"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38473"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38476"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38477"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-38478"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120673"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120674"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120678"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120695"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2120696"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2022-6174.html"
    }
  ],
  "related": [
    "CVE-2022-38472",
    "CVE-2022-38473",
    "CVE-2022-38477",
    "CVE-2022-38478",
    "CVE-2022-38476"
  ],
  "summary": "Important: firefox security update"
}

GSD-2022-38478

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-38478

Aliases

CVE-2022-38478

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-38478",
    "description": "Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird \u003c 102.2, Thunderbird \u003c 91.13, Firefox ESR \u003c 91.13, Firefox ESR \u003c 102.2, and Firefox \u003c 104.",
    "id": "GSD-2022-38478"
  },
  "gsd": {
    "affected": [
      {
        "package": {
          "ecosystem": "Mozilla",
          "name": "Thunderbird"
        },
        "ranges": [
          {
            "events": [
              {
                "fixed": "91.13"
              },
              {
                "introduced": "0"
              },
              {
                "fixed": "102.2"
              },
              {
                "introduced": "0"
              }
            ],
            "type": "SEMVER"
          }
        ],
        "version": []
      },
      {
        "package": {
          "ecosystem": "Mozilla",
          "name": "Firefox ESR"
        },
        "ranges": [
          {
            "events": [
              {
                "fixed": "102.2"
              },
              {
                "introduced": "0"
              },
              {
                "fixed": "91.13"
              },
              {
                "introduced": "0"
              }
            ],
            "type": "SEMVER"
          }
        ],
        "version": []
      },
      {
        "package": {
          "ecosystem": "Mozilla",
          "name": "Firefox"
        },
        "ranges": [
          {
            "events": [
              {
                "fixed": "104"
              },
              {
                "introduced": "0"
              }
            ],
            "type": "SEMVER"
          }
        ],
        "version": []
      }
    ],
    "alias": [
      "CVE-2022-38478"
    ],
    "database_specific": {
      "GSD": {
        "alias": "CVE-2022-38478",
        "id": "GSD-2022-38478",
        "references": [
          "https://advisories.mageia.org/CVE-2022-38478.html",
          "https://access.redhat.com/errata/RHSA-2022:6164",
          "https://access.redhat.com/errata/RHSA-2022:6165",
          "https://access.redhat.com/errata/RHSA-2022:6166",
          "https://access.redhat.com/errata/RHSA-2022:6167",
          "https://access.redhat.com/errata/RHSA-2022:6168",
          "https://access.redhat.com/errata/RHSA-2022:6169",
          "https://access.redhat.com/errata/RHSA-2022:6174",
          "https://access.redhat.com/errata/RHSA-2022:6175",
          "https://access.redhat.com/errata/RHSA-2022:6176",
          "https://access.redhat.com/errata/RHSA-2022:6177",
          "https://access.redhat.com/errata/RHSA-2022:6178",
          "https://access.redhat.com/errata/RHSA-2022:6179",
          "https://www.suse.com/security/cve/CVE-2022-38478.html",
          "https://ubuntu.com/security/CVE-2022-38478",
          "https://www.debian.org/security/2022/dsa-5217",
          "https://www.debian.org/security/2022/dsa-5221"
        ]
      }
    },
    "details": "Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird \u003c 91.13, Thunderbird \u003c 102.2, Firefox ESR \u003c 102.2, Firefox ESR \u003c 91.13, and Firefox \u003c 104.",
    "id": "GSD-2022-38478",
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "modified": "2022-09-27T16:35:15.412695Z",
    "osvSchema": {
      "aliases": [
        "CVE-2022-38478"
      ],
      "details": "Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird \u003c 102.2, Thunderbird \u003c 91.13, Firefox ESR \u003c 91.13, Firefox ESR \u003c 102.2, and Firefox \u003c 104.",
      "id": "GSD-2022-38478",
      "modified": "2023-12-13T01:19:22.230313Z",
      "schema_version": "1.4.0"
    },
    "references": [
      {
        "type": "ADVISORY",
        "url": "https://www.mozilla.org/security/advisories/mfsa2022-35/"
      },
      {
        "type": "ADVISORY",
        "url": "https://www.mozilla.org/security/advisories/mfsa2022-37/"
      },
      {
        "type": "ADVISORY",
        "url": "https://www.mozilla.org/security/advisories/mfsa2022-36/"
      },
      {
        "type": "ADVISORY",
        "url": "https://www.mozilla.org/security/advisories/mfsa2022-34/"
      },
      {
        "type": "ADVISORY",
        "url": "https://www.mozilla.org/security/advisories/mfsa2022-33/"
      },
      {
        "type": "ADVISORY",
        "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1770630%2C1776658"
      },
      {
        "type": "ADVISORY",
        "url": "https://advisories.mageia.org/CVE-2022-38478.html"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:6164"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:6165"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:6166"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:6167"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:6168"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:6169"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:6174"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:6175"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:6176"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:6177"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:6178"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:6179"
      },
      {
        "type": "ADVISORY",
        "url": "https://www.suse.com/security/cve/CVE-2022-38478.html"
      },
      {
        "type": "ADVISORY",
        "url": "https://ubuntu.com/security/CVE-2022-38478"
      },
      {
        "type": "ADVISORY",
        "url": "https://www.debian.org/security/2022/dsa-5217"
      },
      {
        "type": "ADVISORY",
        "url": "https://www.debian.org/security/2022/dsa-5221"
      }
    ],
    "schema_version": "1.3.0",
    "summary": "Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird \u003c 91.13, Thunderbird \u003c 102.2, Firefox ESR \u003c 102.2, Firefox ESR \u003c 91.13, and Firefox \u003c 104."
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@mozilla.org",
        "ID": "CVE-2022-38478",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Thunderbird",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "102.2"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "91.13"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Firefox ESR",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "91.13"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "102.2"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Firefox",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "104"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Mozilla"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird \u003c 102.2, Thunderbird \u003c 91.13, Firefox ESR \u003c 91.13, Firefox ESR \u003c 102.2, and Firefox \u003c 104."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.mozilla.org/security/advisories/mfsa2022-35/",
            "refsource": "MISC",
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-35/"
          },
          {
            "name": "https://www.mozilla.org/security/advisories/mfsa2022-33/",
            "refsource": "MISC",
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-33/"
          },
          {
            "name": "https://www.mozilla.org/security/advisories/mfsa2022-37/",
            "refsource": "MISC",
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-37/"
          },
          {
            "name": "https://www.mozilla.org/security/advisories/mfsa2022-36/",
            "refsource": "MISC",
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-36/"
          },
          {
            "name": "https://www.mozilla.org/security/advisories/mfsa2022-34/",
            "refsource": "MISC",
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-34/"
          },
          {
            "name": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1770630%2C1776658",
            "refsource": "MISC",
            "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1770630%2C1776658"
          }
        ]
      }
    },
    "mozilla.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@mozilla.org",
        "ID": "CVE-2022-38478"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Thunderbird",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "91.13"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "102.2"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Firefox ESR",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "102.2"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "91.13"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Firefox",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "104"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Mozilla"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird \u003c 91.13, Thunderbird \u003c 102.2, Firefox ESR \u003c 102.2, Firefox ESR \u003c 91.13, and Firefox \u003c 104."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-35/"
          },
          {
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-37/"
          },
          {
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-36/"
          },
          {
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-34/"
          },
          {
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-33/"
          },
          {
            "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1770630%2C1776658"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "102.2",
                "versionStartIncluding": "102.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "91.13",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "102.2",
                "versionStartIncluding": "102.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "91.13",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "104.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2022-38478"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird \u003c 102.2, Thunderbird \u003c 91.13, Firefox ESR \u003c 91.13, Firefox ESR \u003c 102.2, and Firefox \u003c 104."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-787"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1770630%2C1776658",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Not Applicable",
                "Vendor Advisory"
              ],
              "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1770630%2C1776658"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2022-35/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.mozilla.org/security/advisories/mfsa2022-35/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2022-34/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.mozilla.org/security/advisories/mfsa2022-34/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2022-33/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.mozilla.org/security/advisories/mfsa2022-33/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2022-37/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.mozilla.org/security/advisories/mfsa2022-37/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2022-36/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.mozilla.org/security/advisories/mfsa2022-36/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-12-31T02:35Z",
      "publishedDate": "2022-12-22T20:15Z"
    }
  }
}

CERTFR-2022-AVI-765

Vulnerability from certfr_avis - Published: 2022-08-24 - Updated: 2022-08-24

De multiples vulnérabilités ont été corrigées dans Mozilla. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 102.2
Mozilla	Thunderbird	Thunderbird versions antérieures à 91.13
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 91.13
Mozilla	Thunderbird	Thunderbird versions antérieures à 102.2
Mozilla	Firefox	Firefox versions antérieures à 104

References

Title

Publication Time

FKIE_CVE-2022-38478

Vulnerability from fkie_nvd - Published: 2022-12-22 20:15 - Updated: 2025-04-15 18:15

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security@mozilla.org	https://bugzilla.mozilla.org/buglist.cgi?bug_id=1770630%2C1776658	Issue Tracking, Not Applicable, Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2022-33/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2022-34/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2022-35/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2022-36/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2022-37/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.mozilla.org/buglist.cgi?bug_id=1770630%2C1776658	Issue Tracking, Not Applicable, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.mozilla.org/security/advisories/mfsa2022-33/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.mozilla.org/security/advisories/mfsa2022-34/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.mozilla.org/security/advisories/mfsa2022-35/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.mozilla.org/security/advisories/mfsa2022-36/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.mozilla.org/security/advisories/mfsa2022-37/	Vendor Advisory

Impacted products

Vendor	Product	Version
mozilla	firefox	*
mozilla	firefox	*
mozilla	firefox_esr	*
mozilla	thunderbird	*
mozilla	thunderbird	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "70DE2928-97D5-4674-9A65-11445420644E",
              "versionEndExcluding": "104.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F41299AA-8263-4589-A162-B01BFF5D0125",
              "versionEndExcluding": "102.2",
              "versionStartIncluding": "102.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "04DB1F84-4152-40DE-967D-A6FD35AB93DC",
              "versionEndExcluding": "91.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB7B5641-427F-4682-94D0-E88C20613D05",
              "versionEndExcluding": "91.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C55A8FB2-E22B-443C-93FF-A8D2DCE85585",
              "versionEndExcluding": "102.2",
              "versionStartIncluding": "102.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird \u003c 102.2, Thunderbird \u003c 91.13, Firefox ESR \u003c 91.13, Firefox ESR \u003c 102.2, and Firefox \u003c 104."
    },
    {
      "lang": "es",
      "value": "Los miembros del equipo Mozilla Fuzzing informaron errores de seguridad de la memoria presentes en Firefox 103, Firefox ESR 102.1 y Firefox ESR 91.12. Algunos de estos errores mostraron evidencia de corrupci\u00f3n de memoria y suponemos que con suficiente esfuerzo algunos de ellos podr\u00edan haberse aprovechado para ejecutar c\u00f3digo arbitrario. Esta vulnerabilidad afecta a Thunderbird \u0026lt; 102.2, Thunderbird \u0026lt; 91.13, Firefox ESR \u0026lt; 91.13, Firefox ESR \u0026lt; 102.2 y Firefox \u0026lt; 104."
    }
  ],
  "id": "CVE-2022-38478",
  "lastModified": "2025-04-15T18:15:44.067",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2022-12-22T20:15:37.587",
  "references": [
    {
      "source": "security@mozilla.org",
      "tags": [
        "Issue Tracking",
        "Not Applicable",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1770630%2C1776658"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-33/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-34/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-35/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-36/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-37/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Not Applicable",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1770630%2C1776658"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-33/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-34/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-35/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-36/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-37/"
    }
  ],
  "sourceIdentifier": "security@mozilla.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-38478 (GCVE-0-2022-38478)

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Solution

Tags

Sightings

Nomenclature