PT-2022-2619 · Mozilla+10 · Thunderbird+12

Armin Ebert

·

Published

2022-05-03

·

Updated

2024-12-12

·

CVE-2022-29909

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 91.9 Firefox ESR versions prior to 91.9 Firefox versions prior to 100
Description Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. The vulnerability is related to insufficient access control and can be exploited by a remote attacker to bypass existing security restrictions.
Recommendations For Thunderbird versions prior to 91.9, update to version 91.9 or later. For Firefox ESR versions prior to 91.9, update to version 91.9 or later. For Firefox versions prior to 100, update to version 100 or later.

Exploit

Fix

Incorrect Default Permissions

Improper Preservation of Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-276CWE-281CWE-264

Related Identifiers

ALSA-2022:1705
ALSA-2022:1730
ALT-PU-2022-1812
ALT-PU-2022-1819
ALT-PU-2022-1847
ALT-PU-2022-1855
ALT-PU-2022-1941
ALT-PU-2022-1951
ALT-PU-2022-1983
ALT-PU-2022-2044
ALT-PU-2022-2053
ALT-PU-2022-2458
ALT-PU-2022-2929
ALT-PU-2022-2930
ALT-PU-2023-1138
ALT-PU-2023-1139
ALT-PU-2023-4336
ALT-PU-2023-4339
BDU:2022-03077
CESA-2022_1703
CESA-2022_1705
CESA-2022_1725
CESA-2022_1730
CVE-2022-29909
DLA-2994-1
DLA-3020-1
DSA-5129-1
DSA-5141-1
MGASA-2022-0162
MGASA-2022-0163
OESA-2023-1673
OESA-2023-1674
OPENSUSE-SU-2022_1719-1
OPENSUSE-SU-2022_1748-1
OPENSUSE-SU-2024:12044-1
OPENSUSE-SU-2024:12045-1
OPENSUSE-SU-2024:14572-1
RHSA-2022:1701
RHSA-2022:1702
RHSA-2022:1703
RHSA-2022:1704
RHSA-2022:1705
RHSA-2022:1724
RHSA-2022:1725
RHSA-2022:1726
RHSA-2022:1727
RHSA-2022:1730
RHSA-2022:4589
RHSA-2022:4590
RHSA-2022_1703
RHSA-2022_1705
RHSA-2022_1725
RHSA-2022_1730
RHSA-2022_4589
RHSA-2022_4590
RLSA-2022:1705
RLSA-2022:1730
SUSE-RU-2022:1579-1
SUSE-SU-2022:1719-1
SUSE-SU-2022:1731-1
SUSE-SU-2022:1748-1
SUSE-SU-2022:1757-1
SUSE-SU-2022_1719-1
SUSE-SU-2022_1731-1
SUSE-SU-2022_1748-1
SUSE-SU-2022_1757-1
USN-5411-1
USN-5435-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Firefox
Firefox Esr
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Thunderbird
Ubuntu