PT-2022-4971 · Mozilla+4 · Firefox+4

James Graham

·

Published

2022-02-08

·

Updated

2024-12-12

·

CVE-2022-22757

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 97
Description The issue is related to the Remote Agent used in WebDriver, which did not properly validate the Host or Origin headers. This could have allowed websites to connect back to the user's browser and control it. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include the lack of validation of the Host or Origin headers, which could allow an attacker to bypass security restrictions, disclose protected information, and execute arbitrary code.
Recommendations For Mozilla Firefox versions prior to 97, update to version 97 or later to resolve the issue. As a temporary workaround, consider disabling the WebDriver feature until a patch is available.

Exploit

Fix

Insufficient Verification of Data Authenticity

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-345CWE-346

Related Identifiers

ALT-PU-2022-1230
ALT-PU-2022-2458
ALT-PU-2022-2929
ALT-PU-2022-2930
ALT-PU-2023-1138
ALT-PU-2023-1139
ALT-PU-2023-4336
ALT-PU-2023-4339
BDU:2022-06166
CVE-2022-22757
OESA-2023-1673
OESA-2023-1674
OPENSUSE-SU-2024:11837-1
OPENSUSE-SU-2024:14572-1
USN-5284-1

Affected Products

Alt Linux
Astra Linux
Linuxmint
Firefox
Ubuntu