Ubuntu Linux Canonical Ubuntu Linux Linux Operating System

Do you want an email whenever new security vulnerabilities are reported in Canonical Ubuntu Linux?

Recent Canonical Ubuntu Linux Security Advisories

Advisory Title Published
USN-5841-1 USN-5841-1: LibTIFF vulnerabilities February 2, 2023
USN-5840-1 USN-5840-1: Long Range ZIP vulnerabilities February 2, 2023
USN-5839-2 USN-5839-2: Apache HTTP Server vulnerability February 2, 2023
USN-5837-2 USN-5837-2: Django vulnerability February 1, 2023
USN-5838-1 USN-5838-1: AdvanceCOMP vulnerabilities February 1, 2023
USN-5839-1 USN-5839-1: Apache HTTP Server vulnerabilities February 1, 2023
USN-5837-1 USN-5837-1: Django vulnerability February 1, 2023
USN-4781-2 USN-4781-2: Slurm vulnerabilities February 1, 2023
USN-5836-1 USN-5836-1: Vim vulnerabilities January 31, 2023
USN-5835-3 USN-5835-3: Nova vulnerability January 31, 2023

@ubuntu Tweets

In a highly regulated industry, it’s key to ensure your open-source stack has the right security requirements in pl… https://t.co/fUaw0Ak6es
Thu Feb 02 14:03:06 +0000 2023

What do you need to keep your #opensource software free from vulnerabilities and threats? Register for our webina… https://t.co/Pd72BW0tF0
Thu Feb 02 09:56:58 +0000 2023

Using industry best-practice guidelines, such as the Center for Internet Security's benchmarks, this whitepaper wil… https://t.co/gOTOA9GWG7
Wed Feb 01 22:47:06 +0000 2023

RT @Canonical: The latest update for Multipass (version 1.11) has just been released. Read our blog to learn more about the improvements a…
Wed Feb 01 16:29:53 +0000 2023

Hackers scan for outdated systems containing vulnerabilities, which they then exploit by deploying targeted malware… https://t.co/lSRszveWJb
Tue Jan 31 11:00:12 +0000 2023

By the Year

In 2023 there have been 21 vulnerabilities in Canonical Ubuntu Linux with an average score of 7.6 out of ten. Last year Ubuntu Linux had 742 security vulnerabilities published. Right now, Ubuntu Linux is on track to have less security vulnerabilities in 2023 than it did last year. However, the average CVE base score of the vulnerabilities in 2023 is greater by 0.61.

Year Vulnerabilities Average Score
2023 21 7.58
2022 742 6.96
2021 525 6.70
2020 617 6.34
2019 612 6.97
2018 839 7.15

It may take a day or so for new Ubuntu Linux vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Canonical Ubuntu Linux Security Vulnerabilities

This issue can affect BIND 9 resolvers with `stale-answer-enable yes;`

CVE-2022-3924 - January 26, 2023

This issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, configured with a value greater than zero. If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client (see BIND 9 ARM `recursive-clients` limit and soft quota), then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.

BIND 9 resolver can crash when stale cache and stale answers are enabled

CVE-2022-3736 - January 26, 2023

BIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the resolver receives an RRSIG query. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.

Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory

CVE-2022-3094 - January 26, 2023

Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don't intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1.

processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g

CVE-2022-48281 5.5 - Medium - January 23, 2023

processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., "WRITE of size 307203") via a crafted TIFF image.

Memory Corruption

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.

CVE-2023-0433 7.8 - High - January 21, 2023

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.

Heap-based Buffer Overflow

A null pointer dereference issue was discovered in function gui_x11_create_blank_mouse in gui_x11.c in vim 8.1.2269 thru 9.0.0339

CVE-2022-47024 7.8 - High - January 20, 2023

A null pointer dereference issue was discovered in function gui_x11_create_blank_mouse in gui_x11.c in vim 8.1.2269 thru 9.0.0339 allows attackers to cause denial of service or other unspecified impacts.

NULL Pointer Dereference

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR)

CVE-2023-22809 7.8 - High - January 18, 2023

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.

Improper Privilege Management

Git is distributed revision control system

CVE-2022-41903 9.8 - Critical - January 17, 2023

Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.

Integer Overflow or Wraparound

Git is distributed revision control system

CVE-2022-23521 9.8 - Critical - January 17, 2023

Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.

Integer Overflow or Wraparound

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server

CVE-2022-36760 9 - Critical - January 17, 2023

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.

HTTP Request Smuggling

A carefully crafted If: request header

CVE-2006-20001 7.5 - High - January 17, 2023

A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.

Memory Corruption

Prior to Apache HTTP Server 2.4.55, a malicious backend

CVE-2022-37436 5.3 - Medium - January 17, 2023

Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.

Interpretation Conflict

In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look

CVE-2022-41860 7.5 - High - January 17, 2023

In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.

NULL Pointer Dereference

A flaw was found in freeradius

CVE-2022-41861 6.5 - Medium - January 17, 2023

A flaw was found in freeradius. A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash.

Resource Exhaustion

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189.

CVE-2023-0288 7.8 - High - January 13, 2023

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189.

Heap-based Buffer Overflow

A buffer overflow flaw was found in the Linux kernel Broadcom Full MAC Wi-Fi driver

CVE-2022-3628 6.6 - Medium - January 12, 2023

A buffer overflow flaw was found in the Linux kernel Broadcom Full MAC Wi-Fi driver. This issue occurs when a user connects to a malicious USB device. This can allow a local user to crash the system or escalate their privileges.

Classic Buffer Overflow

A use-after-free flaw was found in the Linux kernel MCTP (Management Component Transport Protocol) functionality

CVE-2022-3977 7.8 - High - January 12, 2023

A use-after-free flaw was found in the Linux kernel MCTP (Management Component Transport Protocol) functionality. This issue occurs when a user simultaneously calls DROPTAG ioctl and socket close happens, which could allow a local user to crash the system or potentially escalate their privileges on the system.

Dangling pointer

A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal

CVE-2022-3437 6.5 - Medium - January 12, 2023

A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack.

Memory Corruption

A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables

CVE-2022-4378 7.8 - High - January 05, 2023

A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Memory Corruption

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.

CVE-2023-0054 7.8 - High - January 04, 2023

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.

Memory Corruption

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.

CVE-2023-0049 7.8 - High - January 04, 2023

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.

Out-of-bounds Read

Heimdal before 7.7.1

CVE-2021-44758 7.5 - High - December 26, 2022

Heimdal before 7.7.1 allows attackers to cause a NULL pointer dereference in a SPNEGO acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero initial_response value to send_accept.

NULL Pointer Dereference

A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6

CVE-2022-41318 7.5 - High - December 25, 2022

A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7.

Out-of-bounds Read

An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6

CVE-2022-41317 6.5 - Medium - December 25, 2022

An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.

Exposure of Resource to Wrong Sphere

PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow)

CVE-2022-42898 8.8 - High - December 25, 2022

PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."

Integer Overflow or Wraparound

Heimdal before 7.7.1

CVE-2022-44640 9.8 - Critical - December 25, 2022

Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC).

A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP

CVE-2022-43551 7.5 - High - December 23, 2022

A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.

Cleartext Transmission of Sensitive Information

An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited

CVE-2022-46871 8.8 - High - December 22, 2022

An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited. This vulnerability affects Firefox < 108.

An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files

CVE-2022-46872 8.6 - High - December 22, 2022

An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.<br>*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6.

Because Firefox did not implement the <code>unsafe-hashes</code> CSP directive

CVE-2022-46873 8.8 - High - December 22, 2022

Because Firefox did not implement the <code>unsafe-hashes</code> CSP directive, an attacker who was able to inject markup into a page otherwise protected by a Content Security Policy may have been able to inject executable script. This would be severely constrained by the specified Content Security Policy of the document. This vulnerability affects Firefox < 108.

Injection

A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place

CVE-2022-46874 8.8 - High - December 22, 2022

A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code.<br/>*Note*: This issue was originally included in the advisories for Thunderbird 102.6, but a patch (specific to Thunderbird) was omitted, resulting in it actually being fixed in Thunderbird 102.6.1. This vulnerability affects Firefox < 108, Thunderbird < 102.6.1, Thunderbird < 102.6, and Firefox ESR < 102.6.

By confusing the browser

CVE-2022-46877 4.3 - Medium - December 22, 2022

By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 108.

Mozilla developers Randell Jesup

CVE-2022-46878 8.8 - High - December 22, 2022

Mozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6.

Mozilla developers and community members Lukas Bernhard

CVE-2022-46879 8.8 - High - December 22, 2022

Mozilla developers and community members Lukas Bernhard, Gabriele Svelto, Randell Jesup, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 107. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 108.

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free

CVE-2022-26485 8.8 - High - December 22, 2022

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

Dangling pointer

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape

CVE-2022-26486 9.6 - Critical - December 22, 2022

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

Dangling pointer

When receiving an OpenPGP/MIME signed email message

CVE-2021-4126 6.5 - Medium - December 22, 2022

When receiving an OpenPGP/MIME signed email message that contains an additional outer MIME message layer, for example a message footer added by a mailing list gateway, Thunderbird only considered the inner signed message for the signature validity. This gave the false impression that the additional contents were also covered by the digital signature. Starting with Thunderbird version 91.4.1, only the signature that belongs to the top level MIME part will be considered for the displayed status. This vulnerability affects Thunderbird < 91.4.1.

Mozilla developers Calixte Denizet

CVE-2022-22751 8.8 - High - December 22, 2022

Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR 91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Memory Corruption

Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol

CVE-2022-22748 6.5 - Medium - December 22, 2022

Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash

CVE-2022-22747 6.5 - Medium - December 22, 2022

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Improper Certificate Validation

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations

CVE-2022-22745 6.5 - Medium - December 22, 2022

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

When navigating from inside an iframe while requesting fullscreen access

CVE-2022-22743 4.3 - Medium - December 22, 2022

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

It may be possible for an attacker to craft an email message

CVE-2022-0566 8.8 - High - December 22, 2022

It may be possible for an attacker to craft an email message that causes Thunderbird to perform an out-of-bounds write of one byte when processing the message. This vulnerability affects Thunderbird < 91.6.1.

Memory Corruption

Previously Firefox for macOS and Linux

CVE-2022-26386 6.5 - Medium - December 22, 2022

Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in <code>/tmp</code>, but this behavior was changed to download them to <code>/tmp</code> where they could be affected by other local users. This behavior was reverted to the original, user-specific directory. <br>*This bug only affects Firefox for macOS and Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.7 and Thunderbird < 91.7.

When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible

CVE-2022-22763 8.8 - High - December 22, 2022

When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible. This vulnerability affects Firefox < 96, Thunderbird < 91.6, and Firefox ESR < 91.6.

When inserting text while in edit mode

CVE-2022-22742 6.5 - Medium - December 22, 2022

When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Out-of-bounds Read

When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode

CVE-2022-22741 7.5 - High - December 22, 2022

When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Certain network request objects were freed too early when releasing a network request handle

CVE-2022-22740 8.8 - High - December 22, 2022

Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Dangling pointer

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol

CVE-2022-22739 6.5 - Medium - December 22, 2022

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Applying a CSS filter effect could have accessed out of bounds memory

CVE-2022-22738 8.8 - High - December 22, 2022

Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Memory Corruption

Constructing audio sinks could have lead to a race condition when playing audio files and closing windows

CVE-2022-22737 7.5 - High - December 22, 2022

Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Dangling pointer

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox

CVE-2021-4140 10 - Critical - December 22, 2022

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

aka Blind XPath Injection

Mozilla developers and community members Julian Hector

CVE-2021-4129 9.8 - Critical - December 22, 2022

Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith, Christian Holler, and Masayuki Nakano reported memory safety bugs present in Firefox 94. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 95, Firefox ESR < 91.4.0, and Thunderbird < 91.4.0.

Mozilla developers and community members Gabriele Svelto

CVE-2022-0511 8.8 - High - December 22, 2022

Mozilla developers and community members Gabriele Svelto, Sebastian Hengst, Randell Jesup, Luan Herrera, Lars T Hansen, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 97.

Memory Corruption

By using XSL Transforms, a malicious webserver could have served a user an XSL document

CVE-2022-22755 8.8 - High - December 22, 2022

By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was closed. This vulnerability affects Firefox < 97.

Operation on a Resource after Expiration or Release

If a document created a sandboxed iframe without <code>allow-scripts</code>, and subsequently appended an element to the iframe's document

CVE-2022-22759 9.6 - Critical - December 22, 2022

If a document created a sandboxed iframe without <code>allow-scripts</code>, and subsequently appended an element to the iframe's document that e.g. had a JavaScript event handler - the event handler would have run despite the iframe's sandbox. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts

CVE-2022-26382 4.3 - Medium - December 22, 2022

While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Side-channel attacks on the text by using specially crafted fonts could have lead to this text being inferred by the webpage. This vulnerability affects Firefox < 98.

Side Channel Attack

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification

CVE-2022-26383 4.3 - Medium - December 22, 2022

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

When importing resources using Web Workers, error messages

CVE-2022-22760 6.5 - Medium - December 22, 2022

When importing resources using Web Workers, error messages would distinguish the difference between <code>application/javascript</code> responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

Generation of Error Message Containing Sensitive Information

If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link

CVE-2022-26384 9.6 - Critical - December 22, 2022

If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

In unusual circumstances, an individual thread may outlive the thread's manager during shutdown

CVE-2022-26385 6.5 - Medium - December 22, 2022

In unusual circumstances, an individual thread may outlive the thread's manager during shutdown. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 98.

Dangling pointer

When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox

CVE-2022-26387 7.5 - High - December 22, 2022

When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have noticed. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

TOCTTOU

Remote Agent, used in WebDriver, did not validate the Host or Origin headers

CVE-2022-22757 6.5 - Medium - December 22, 2022

Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. <br>*This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox < 97.

Improper Input Validation

An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash

CVE-2022-26381 8.8 - High - December 22, 2022

An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

Dangling pointer

Mozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97

CVE-2022-0843 8.8 - High - December 22, 2022

Mozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 98.

Memory Corruption

If a user was convinced to drag and drop an image to their desktop or other folder, the resulting object could have been changed into an executable script

CVE-2022-22756 8.8 - High - December 22, 2022

If a user was convinced to drag and drop an image to their desktop or other folder, the resulting object could have been changed into an executable script which would have run arbitrary code after the user clicked on it. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt

CVE-2022-22754 6.5 - Medium - December 22, 2022

If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

AuthZ

Mozilla developers Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96 and Firefox ESR 91.5

CVE-2022-22764 8.8 - High - December 22, 2022

Mozilla developers Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96 and Firefox ESR 91.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

Buffer Overflow

Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy

CVE-2022-22761 8.8 - High - December 22, 2022

Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses

CVE-2022-45416 6.5 - Medium - December 22, 2022

Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Side Channel Attack

Service Workers did not detect Private Browsing Mode correctly in all cases

CVE-2022-45417 4.3 - Medium - December 22, 2022

Service Workers did not detect Private Browsing Mode correctly in all cases, which could have led to Service Workers being written to disk for websites visited in Private Browsing Mode. This would not have persisted them in a state where they would run again, but it would have leaked Private Browsing Mode details to disk. This vulnerability affects Firefox < 107.

Clickjacking

When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with

CVE-2022-45415 7.8 - High - December 22, 2022

When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran. This vulnerability affects Firefox < 107.

When resolving a symlink such as <code>file:///proc/self/fd/1</code>

CVE-2022-45412 8.8 - High - December 22, 2022

When resolving a symlink such as <code>file:///proc/self/fd/1</code>, an error message may be produced where the symlink was resolved to a string containing unitialized memory in the buffer. <br>*This bug only affects Thunderbird on Unix-based operated systems (Android, Linux, MacOS). Windows is unaffected.*. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

insecure temporary file

Mozilla developers Andrew McCreight and Gabriele Svelto reported memory safety bugs present in Thunderbird 102.4

CVE-2022-45421 8.8 - High - December 22, 2022

Mozilla developers Andrew McCreight and Gabriele Svelto reported memory safety bugs present in Thunderbird 102.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102

CVE-2022-2505 8.8 - High - December 22, 2022

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1.

Memory Corruption

Use tables inside of an iframe

CVE-2022-45420 6.5 - Medium - December 22, 2022

Use tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Clickjacking

If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server

CVE-2022-45419 6.5 - Medium - December 22, 2022

If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then deleted the exception, Firefox would have kept the connection alive, making it seem like the certificate was still trusted. This vulnerability affects Firefox < 107.

Improper Certificate Validation

If a custom mouse cursor is specified in CSS

CVE-2022-45418 6.1 - Medium - December 22, 2022

If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Clickjacking

Using the <code>S.browser_fallback_url parameter</code> parameter, an attacker could redirect a user to a URL

CVE-2022-45413 6.1 - Medium - December 22, 2022

Using the <code>S.browser_fallback_url parameter</code> parameter, an attacker could redirect a user to a URL and cause SameSite=Strict cookies to be sent.<br>*This issue only affects Firefox for Android. Other operating systems are not affected.*. This vulnerability affects Firefox < 107.

Open Redirect

Cross-Site Tracing occurs when a server will echo a request back via the Trace method

CVE-2022-45411 6.1 - Medium - December 22, 2022

Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on <code>fetch()</code> and XMLHttpRequest; however some webservers have implemented non-standard headers such as <code>X-Http-Method-Override</code> that override the HTTP method, and made this attack possible again. Thunderbird has applied the same mitigations to the use of this and similar headers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

XSS

When a ServiceWorker intercepted a request with <code>FetchEvent</code>

CVE-2022-45410 6.5 - Medium - December 22, 2022

When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk

CVE-2022-42931 3.3 - Low - December 22, 2022

Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk. Instead, the username (not password) was saved by the Form Manager to an unencrypted file on disk. This vulnerability affects Firefox < 106.

Insecure Storage of Sensitive Information

If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv="refresh"</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to

CVE-2022-3033 8.1 - High - December 22, 2022

If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv="refresh"</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text'. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

Code Injection

An out-of-bounds read can occur when decoding H264 video

CVE-2022-3266 5.5 - Medium - December 22, 2022

An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

Out-of-bounds Read

When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead

CVE-2022-40956 6.1 - Medium - December 22, 2022

When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

XSS

Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash

CVE-2022-40957 6.5 - Medium - December 22, 2022

Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash.<br>*This bug only affects Firefox on ARM64 platforms.*. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies

CVE-2022-40958 6.5 - Medium - December 22, 2022

By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

Injection

During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass

CVE-2022-40959 6.5 - Medium - December 22, 2022

During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

Insecure Storage of Sensitive Information

Concurrent use of the URL parser with non-UTF-8 data was not thread-safe

CVE-2022-40960 6.5 - Medium - December 22, 2022

Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

Dangling pointer

Mozilla developers Nika Layzell

CVE-2022-40962 8.8 - High - December 22, 2022

Mozilla developers Nika Layzell, Timothy Nikkel, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

The garbage collector could have been aborted in several states and zones and <code>GCRuntime::finishCollection</code> may not have been called

CVE-2022-45409 8.8 - High - December 22, 2022

The garbage collector could have been aborted in several states and zones and <code>GCRuntime::finishCollection</code> may not have been called, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Dangling pointer

Through a series of popups

CVE-2022-45408 6.5 - Medium - December 22, 2022

Through a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

If an attacker loaded a font using <code>FontFace()</code> on a background worker

CVE-2022-45407 7.5 - High - December 22, 2022

If an attacker loaded a font using <code>FontFace()</code> on a background worker, a use-after-free could have occurred, leading to a potentially exploitable crash. This vulnerability affects Firefox < 107.

Dangling pointer

If an out-of-memory condition occurred when creating a JavaScript global

CVE-2022-45406 9.8 - Critical - December 22, 2022

If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Memory Corruption

Freeing arbitrary <code>nsIInputStream</code>'s on a different thread than creation could have led to a use-after-free and potentially exploitable crash

CVE-2022-45405 6.5 - Medium - December 22, 2022

Freeing arbitrary <code>nsIInputStream</code>'s on a different thread than creation could have led to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Dangling pointer

Through a series of popup and <code>window.print()</code> calls, an attacker

CVE-2022-45404 6.5 - Medium - December 22, 2022

Through a series of popup and <code>window.print()</code> calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have

CVE-2022-45403 6.5 - Medium - December 22, 2022

Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Side Channel Attack

A same-origin policy violation could have

CVE-2022-42927 8.1 - High - December 22, 2022

A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via <code>performance.getEntries()</code>. This vulnerability affects Thunderbird < 102.4, Firefox ESR < 102.4, and Firefox < 106.

Origin Validation Error

When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected

CVE-2022-36318 5.3 - Medium - December 22, 2022

When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

Race Condition

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed

CVE-2022-36319 7.5 - High - December 22, 2022

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Mozilla Firefox or by Canonical? Click the Watch button to subscribe.

Canonical
Vendor

Canonical Ubuntu Linux
Linux Operating System

subscribe