{"api_version":"1","generated_at":"2026-04-22T23:32:04+00:00","cve":"CVE-2022-22753","urls":{"html":"https://cve.report/CVE-2022-22753","api":"https://cve.report/api/cve/CVE-2022-22753.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-22753","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-22753"},"summary":{"title":"CVE-2022-22753","description":"A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant Users write access to an arbitrary directory. This could have been used to escalate to SYSTEM access.<br>*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2022-12-22 20:15:00","updated_at":"2022-12-29 23:03:00"},"problem_types":["CWE-367"],"metrics":[],"references":[{"url":"https://www.mozilla.org/security/advisories/mfsa2022-06/","name":"https://www.mozilla.org/security/advisories/mfsa2022-06/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Thunderbird 91.6 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1732435","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1732435","refsource":"MISC","tags":[],"title":"Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2022-05/","name":"https://www.mozilla.org/security/advisories/mfsa2022-05/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Firefox ESR 91.6 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2022-04/","name":"https://www.mozilla.org/security/advisories/mfsa2022-04/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Firefox 97 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-22753","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22753","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"22753","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"22753","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"22753","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"22753","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-22753","qid":"296062","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 43.113.3 Missing (CPUJAN2022)"},{"cve":"CVE-2022-22753","qid":"376387","title":"Mozilla Firefox Multiple Vulnerabilities (MFSA2022-04)"},{"cve":"CVE-2022-22753","qid":"376388","title":"Mozilla Firefox ESR Multiple Vulnerabilities (MFSA2022-05)"},{"cve":"CVE-2022-22753","qid":"376402","title":"Mozilla Thunderbird Multiple Vulnerabilities (MFSA2022-06)"},{"cve":"CVE-2022-22753","qid":"502385","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2022-22753","qid":"502688","title":"Alpine Linux Security Update for firefox"},{"cve":"CVE-2022-22753","qid":"505452","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2022-22753","qid":"710574","title":"Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 202202-03)"},{"cve":"CVE-2022-22753","qid":"751758","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2022:0559-1)"},{"cve":"CVE-2022-22753","qid":"751761","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:0565-1)"},{"cve":"CVE-2022-22753","qid":"751777","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:0676-1)"},{"cve":"CVE-2022-22753","qid":"751786","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:0696-1)"},{"cve":"CVE-2022-22753","qid":"751827","title":"OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2022:40696-1)"},{"cve":"CVE-2022-22753","qid":"753305","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:14896-1)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2022-22753","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Firefox","version":{"version_data":[{"version_value":"97","version_affected":"<"}]}},{"product_name":"Thunderbird","version":{"version_data":[{"version_value":"91.6","version_affected":"<"}]}},{"product_name":"Firefox ESR","version":{"version_data":[{"version_value":"91.6","version_affected":"<"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Privilege Escalation to SYSTEM on Windows via Maintenance Service"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2022-05/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2022-05/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2022-04/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2022-04/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2022-06/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2022-06/"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1732435","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1732435"}]},"description":{"description_data":[{"lang":"eng","value":"A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant Users write access to an arbitrary directory. This could have been used to escalate to SYSTEM access.<br>*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6."}]}},"nvd":{"publishedDate":"2022-12-22 20:15:00","lastModifiedDate":"2022-12-29 23:03:00","problem_types":["CWE-367"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"97.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionEndExcluding":"91.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"91.6","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"22753","Ordinal":"225187","Title":"CVE-2022-22753","CVE":"CVE-2022-22753","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"22753","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}