Rewterz Threat Advisory – Multiple Mozilla Firefox Vulnerabilities

December 14, 2022

Severity

High

Analysis Summary

CVE-2022-46882 CVSS:6.5

Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free in WebGL. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.

CVE-2022-46881 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption in WebGL. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2022-46880 CVSS:6.5

CVE-2022-46879 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2022-46877 CVSS:6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the delaying or suppression of the fullscreen notification. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause user confusion or conduct spoofing attacks.

CVE-2022-46875 CVSS:6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the lack of the executable file warning when downloading .atloc and .ftploc files. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to bypass download protections and run commands on a user’s computer.

CVE-2022-46874 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by the truncation of a filename which removes the valid extension, and leaving a malicious extension in its place. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2022-46873 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by the failure to implement the unsafe-hashes CSP directive. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to inject and execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2022-46872 CVSS:8.1

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a compromised content process. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to escape the sandbox to read arbitrary files via clipboard-related IPC messages.

CVE-2022-46871 CVSS:8.8

Mozilla Firefox could provide weaker than expected security, caused by an out of date library (libusrsctp) that contains multiple vulnerabilities. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to launch further attacks on the system.

Impact

Denial of Service
Code Execution
Gain Access
Information Disclosure
Security Bypass

Indicators Of Compromise

CVE

CVE-2022-46882
CVE-2022-46881
CVE-2022-46880
CVE-2022-46879
CVE-2022-46877
CVE-2022-46875
CVE-2022-46874
CVE-2022-46873
CVE-2022-46872
CVE-2022-46871

Affected Vendors

Mozilla

Affected Products

Mozilla Thunderbird 102.5
Mozilla Firefox ESR 102.5
Mozilla Firefox 107

Remediation

Refer to Mozilla Foundation Security Advisory for patch, upgrade or suggested workaround information.

Mozilla Firefox ESR 102.6

Mozilla Thunderbird 102.6

Mozilla Firefox 108