PT-2022-3283 · Mozilla+2 · Firefox For Android+2

Peter Gerber

·

Published

2022-06-28

·

Updated

2024-12-12

·

CVE-2022-34469

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Firefox for Android versions prior to 102
Description The issue is related to the handling of TLS Certificate errors on domains protected by the HSTS header. When such an error occurs, the browser should prevent the user from bypassing the certificate error. However, on Firefox for Android, users were given the option to bypass the error, which could only be done explicitly by the user. This could potentially allow a remote attacker to execute arbitrary code by exploiting the vulnerability in the TLS certificate authentication procedure.
Recommendations For Firefox for Android versions prior to 102, update to version 102 or later to resolve the issue. As a temporary workaround, consider avoiding domains with TLS certificate errors to minimize the risk of exploitation. Restrict access to sensitive information when using Firefox for Android until the update is applied.

Exploit

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

ALT-PU-2022-2151
ALT-PU-2022-2930
ALT-PU-2023-1139
ALT-PU-2023-4336
ALT-PU-2023-4339
BDU:2022-04018
CVE-2022-34469
OESA-2023-1673
OESA-2023-1674
OPENSUSE-SU-2022_3396-1
OPENSUSE-SU-2024:12184-1
OPENSUSE-SU-2024:14572-1
SUSE-SU-2022:3272-1
SUSE-SU-2022:3273-1
SUSE-SU-2022:3396-1

Affected Products

Alt Linux
Firefox For Android
Suse