openEuler 20.03 LTS SP4 update for firefox

1) Code Injection

EUVDB-ID: #VU63501

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-1802

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to prototype pollution in Top-Level Await implementation. A remote attacker can trick the victim to visit a specially crafted website, corrupt the methods of an Array object in JavaScript via prototype pollution and execute arbitrary JavaScript code in a privileged context.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP4

mozilla-crashreporter-firefox-debuginfo: before 79.0-17

firefox-debugsource: before 79.0-17

firefox-debuginfo: before 79.0-17

firefox: before 79.0-17

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1369

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.