Main Vulnerability Database Vulnerabilities #VU69334

#VU69334 Security features bypass in Mozilla Firefox and Firefox for Android - CVE-2022-45419

Published: November 15, 2022

Vulnerability identifier: #VU69334

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-45419

CWE-ID: CWE-254

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Mozilla Firefox
Firefox for Android

Software vendor:
Mozilla

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the way Firefox handles deletion of a security exception granted for an invalid TLS certificate. If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then deleted the exception, Firefox would have kept the connection alive, making it seem like the certificate was still trusted.

Remediation

Install updates from vendor's website.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/