CVE-2022-26387
Summary
| CVE | CVE-2022-26387 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2022-12-22 20:15:00 UTC |
|---|
| Updated | 2022-12-30 16:04:00 UTC |
|---|
| Description | When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have noticed. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Security Vulnerabilities fixed in Thunderbird 91.7 — Mozilla |
MISC |
www.mozilla.org |
|
| 1752979 - (CVE-2022-26387) TOCTOU flaw when verifying addon signatures: actual install might have different content |
MISC |
bugzilla.mozilla.org |
|
| Security Vulnerabilities fixed in Firefox ESR 91.7 — Mozilla |
MISC |
www.mozilla.org |
|
| Security Vulnerabilities fixed in Firefox 98 — Mozilla |
MISC |
www.mozilla.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159696 Oracle Enterprise Linux Security Update for firefox (ELSA-2022-0824)
- 159697 Oracle Enterprise Linux Security Update for firefox (ELSA-2022-0818)
- 159705 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-0845)
- 159706 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-0850)
- 179116 Debian Security Update for firefox-esr (DSA 5097-1)
- 179121 Debian Security Update for firefox-esr (DLA 2942-1)
- 179150 Debian Security Update for thunderbird (DSA 5106-1)
- 179152 Debian Security Update for thunderbird (DLA 2961-1)
- 182313 Debian Security Update for firefox-esrthunderbird (CVE-2022-26387)
- 198696 Ubuntu Security Notification for Firefox Vulnerabilities (USN-5321-1)
- 198704 Ubuntu Security Notification for Firefox Vulnerabilities (USN-5321-2)
- 198711 Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-5345-1)
- 240124 Red Hat Update for firefox (RHSA-2022:0817)
- 240132 Red Hat Update for firefox (RHSA-2022:0824)
- 240133 Red Hat Update for firefox (RHSA-2022:0818)
- 240136 Red Hat Update for firefox (RHSA-2022:0816)
- 240141 Red Hat Update for thunderbird (RHSA-2022:0853)
- 240142 Red Hat Update for thunderbird (RHSA-2022:0845)
- 240143 Red Hat Update for thunderbird (RHSA-2022:0843)
- 240145 Red Hat Update for thunderbird (RHSA-2022:0850)
- 240433 Red Hat Update for thunderbird (RHSA-2022:0847)
- 257161 CentOS Security Update for firefox (CESA-2022:0824)
- 257164 CentOS Security Update for thunderbird (CESA-2022:0850)
- 296057 Oracle Solaris 11.4 Support Repository Update (SRU) 44.113.4 Missing (bulletinapr2022)
- 353262 Amazon Linux Security Advisory for thunderbird : ALAS2-2022-1779
- 376457 Mozilla Firefox ESR Multiple Vulnerabilities (MFSA2022-11)
- 376458 Mozilla Firefox Multiple Vulnerabilities (MFSA2022-10)
- 376462 Mozilla Thunderbird Multiple Vulnerabilities (MFSA2022-12)
- 502075 Alpine Linux Security Update for firefox-esr
- 502690 Alpine Linux Security Update for firefox
- 504818 Alpine Linux Security Update for firefox-esr
- 504828 Alpine Linux Security Update for firefox
- 710582 Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 202208-08)
- 710585 Gentoo Linux Mozilla Thunderbird Multiple Vulnerabilities (GLSA 202208-14)
- 751863 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:0819-1)
- 751868 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:0822-1)
- 751869 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:0821-1)
- 751876 OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2022:0821-1)
- 751915 OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2022:0906-1)
- 753085 SUSE Enterprise Linux Security Update for MozillaThunderbird (SUSE-SU-2022:0906-1)
- 753414 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:14906-1)
- 940460 AlmaLinux Security Update for firefox (ALSA-2022:0818)
- 940465 AlmaLinux Security Update for thunderbird (ALSA-2022:0845)
- 960832 Rocky Linux Security Update for thunderbird (RLSA-2022:0845)
- 960834 Rocky Linux Security Update for firefox (RLSA-2022:0818)
