Lucene search

K
redhatRedHatRHSA-2022:5479
HistoryJun 30, 2022 - 10:26 p.m.

(RHSA-2022:5479) Important: firefox security update

2022-06-3022:26:21
access.redhat.com
32
mozilla firefox
security update
cve-2022-34468
cve-2022-34470
cve-2022-34479
cve-2022-34484
cve-2022-2200
cve-2022-31744
cve-2022-34472
cve-2022-34481
unix
open-source

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.005

Percentile

77.8%

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 91.11 ESR.

Security Fix(es):

  • Mozilla: CSP sandbox header without allow-scripts can be bypassed via retargeted javascript: URI (CVE-2022-34468)

  • Mozilla: Use-after-free in nsSHistory (CVE-2022-34470)

  • Mozilla: A popup window could be resized in a way to overlay the address bar with web content (CVE-2022-34479)

  • Mozilla: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11 (CVE-2022-34484)

  • Mozilla: Undesired attributes could be set as part of prototype pollution (CVE-2022-2200)

  • Mozilla: CSP bypass enabling stylesheet injection (CVE-2022-31744)

  • Mozilla: Unavailable PAC file resulted in OCSP requests being blocked (CVE-2022-34472)

  • Mozilla: Potential integer overflow in ReplaceElementsAt (CVE-2022-34481)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.005

Percentile

77.8%