{"api_version":"1","generated_at":"2026-04-23T04:11:28+00:00","cve":"CVE-2022-34471","urls":{"html":"https://cve.report/CVE-2022-34471","api":"https://cve.report/api/cve/CVE-2022-34471.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-34471","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-34471"},"summary":{"title":"CVE-2022-34471","description":"When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version. This vulnerability affects Firefox < 102.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2022-12-22 20:15:00","updated_at":"2023-01-04 16:04:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1766047","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1766047","refsource":"MISC","tags":[],"title":"Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2022-24/","name":"https://www.mozilla.org/security/advisories/mfsa2022-24/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Firefox 102 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-34471","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-34471","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"34471","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-34471","qid":"198849","title":"Ubuntu Security Notification for Firefox Vulnerabilities (USN-5504-1)"},{"cve":"CVE-2022-34471","qid":"376705","title":"Mozilla Firefox Multiple Vulnerabilities (MFSA2022-24)"},{"cve":"CVE-2022-34471","qid":"502853","title":"Alpine Linux Security Update for firefox"},{"cve":"CVE-2022-34471","qid":"505737","title":"Alpine Linux Security Update for firefox"},{"cve":"CVE-2022-34471","qid":"710582","title":"Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 202208-08)"},{"cve":"CVE-2022-34471","qid":"752583","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:3273-1)"},{"cve":"CVE-2022-34471","qid":"752590","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:3272-1)"},{"cve":"CVE-2022-34471","qid":"752611","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:3396-1)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2022-34471","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Firefox","version":{"version_data":[{"version_value":"102","version_affected":"<"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Compromised server could trick a browser into an addon downgrade"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2022-24/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2022-24/"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1766047","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1766047"}]},"description":{"description_data":[{"lang":"eng","value":"When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version. This vulnerability affects Firefox < 102."}]}},"nvd":{"publishedDate":"2022-12-22 20:15:00","lastModifiedDate":"2023-01-04 16:04:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"102.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}