ISHACK AI BOT

Debian: CVE-2022-41988: openimageio -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/22/2022 Created 05/05/2023 Added 04/06/2023 Modified 01/28/2025 Description An information disclosure vulnerability exists in the OpenImageIO::decode_iptc_iim() functionality of OpenImageIO Project OpenImageIO v2.3.19.0. A specially-crafted TIFF file can lead to a disclosure of sensitive information. An attacker can provide a malicious file to trigger this vulnerability. Solution(s) debian-upgrade-openimageio References https://attackerkb.com/topics/cve-2022-41988 CVE - 2022-41988 DLA-3382-1

Amazon Linux AMI 2: CVE-2021-4127: Security patch for thunderbird (ALAS-2023-1951) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 02/23/2023 Added 02/23/2023 Modified 01/28/2025 Description An out of date graphics library (Angle) likely contained vulnerabilities that could potentially be exploited. This vulnerability affects Thunderbird < 78.9 and Firefox ESR < 78.9. Solution(s) amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2021-4127 AL2/ALAS-2023-1951 CVE - 2021-4127

Amazon Linux AMI 2: CVE-2022-2200: Security patch for firefox, thunderbird (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 02/23/2023 Added 02/23/2023 Modified 01/28/2025 Description If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2022-2200 AL2/ALAS-2023-1951 AL2/ALASFIREFOX-2023-013 CVE - 2022-2200

Amazon Linux AMI 2: CVE-2022-29917: Security patch for thunderbird (ALAS-2022-1828) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 07/09/2024 Added 07/09/2024 Modified 01/28/2025 Description Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99 and Firefox ESR 91.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. Solution(s) amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2022-29917 AL2/ALAS-2022-1828 CVE - 2022-29917

Amazon Linux AMI 2: CVE-2022-2226: Security patch for thunderbird (ALAS-2022-1828) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 12/22/2022 Created 02/22/2023 Added 02/21/2023 Modified 01/30/2025 Description An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email's date will be shown. If the dates were different, then Thunderbird didn't report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature's date roughly matches the displayed date of the email. This vulnerability affects Thunderbird < 102 and Thunderbird < 91.11. Solution(s) amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2022-2226 AL2/ALAS-2022-1828 CVE - 2022-2226

Amazon Linux AMI 2: CVE-2022-36320: Security patch for firefox (ALASFIREFOX-2024-026) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 07/12/2024 Added 07/11/2024 Modified 01/28/2025 Description Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 103. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo References https://attackerkb.com/topics/cve-2022-36320 AL2/ALASFIREFOX-2024-026 CVE - 2022-36320

Amazon Linux AMI 2: CVE-2022-31744: Security patch for firefox, thunderbird (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 12/22/2022 Created 07/12/2024 Added 07/11/2024 Modified 02/03/2025 Description An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11, Thunderbird < 102, Thunderbird < 91.11, and Firefox < 101. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2022-31744 AL2/ALAS-2023-1951 AL2/ALASFIREFOX-2024-026 CVE - 2022-31744

Alpine Linux: CVE-2022-1196: Use After Free Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8 and Firefox ESR < 91.8. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-1196 CVE - 2022-1196 https://security.alpinelinux.org/vuln/CVE-2022-1196

Amazon Linux AMI 2: CVE-2022-3155: Security patch for thunderbird (ALAS-2023-1951) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 12/22/2022 Created 02/04/2025 Added 02/03/2025 Modified 02/03/2025 Description When saving or opening an email attachment on macOS, Thunderbird did not set attribute com.apple.quarantine on the received file. If the received file was an application and the user attempted to open it, then the application was started immediately without asking the user to confirm. This vulnerability affects Thunderbird < 102.3. Solution(s) amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2022-3155 AL2/ALAS-2023-1951 CVE - 2022-3155

Rocky Linux: CVE-2022-1196: thunderbird (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/22/2022 Created 03/07/2024 Added 03/05/2024 Modified 01/28/2025 Description After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8 and Firefox ESR < 91.8. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2022-1196 CVE - 2022-1196 https://errata.rockylinux.org/RLSA-2022:1287 https://errata.rockylinux.org/RLSA-2022:1301

Alpine Linux: CVE-2022-22749: Vulnerability in Multiple Components Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 96. Solution(s) alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2022-22749 CVE - 2022-22749 https://security.alpinelinux.org/vuln/CVE-2022-22749

Alpine Linux: CVE-2022-22764: Out-of-bounds Write Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Mozilla developers Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96 and Firefox ESR 91.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-firefox alpine-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-22764 CVE - 2022-22764 https://security.alpinelinux.org/vuln/CVE-2022-22764

MFSA2023-02 Firefox: Security Vulnerabilities fixed in Firefox ESR 102.7 (CVE-2022-46877) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 12/22/2022 Created 01/19/2023 Added 01/18/2023 Modified 01/28/2025 Description By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 108. Solution(s) mozilla-firefox-esr-upgrade-102_7 References https://attackerkb.com/topics/cve-2022-46877 CVE - 2022-46877 http://www.mozilla.org/security/announce/2023/mfsa2023-02.html

Alpine Linux: CVE-2022-22747: Improper Certificate Validation Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-firefox alpine-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-22747 CVE - 2022-22747 https://security.alpinelinux.org/vuln/CVE-2022-22747

Alpine Linux: CVE-2022-22737: Race Condition Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-firefox alpine-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-22737 CVE - 2022-22737 https://security.alpinelinux.org/vuln/CVE-2022-22737

Alpine Linux: CVE-2022-2200: Prototype Pollution Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-thunderbird alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2022-2200 CVE - 2022-2200 https://security.alpinelinux.org/vuln/CVE-2022-2200

Alpine Linux: CVE-2022-22763: Vulnerability in Multiple Components Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible. This vulnerability affects Firefox < 96, Thunderbird < 91.6, and Firefox ESR < 91.6. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-22763 CVE - 2022-22763 https://security.alpinelinux.org/vuln/CVE-2022-22763

Alpine Linux: CVE-2022-22738: Out-of-bounds Write Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-firefox alpine-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-22738 CVE - 2022-22738 https://security.alpinelinux.org/vuln/CVE-2022-22738

Alpine Linux: CVE-2022-22736: Uncontrolled Search Path Element Severity 7 CVSS (AV:L/AC:M/Au:S/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description If Firefox was installed to a world-writable directory, a local privilege escalation could occur when Firefox searched the current directory for system libraries. However the install directory is not world-writable by default.<br>*This bug only affects Firefox for Windows in a non-default installation. Other operating systems are unaffected.*. This vulnerability affects Firefox < 96. Solution(s) alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2022-22736 CVE - 2022-22736 https://security.alpinelinux.org/vuln/CVE-2022-22736

Alpine Linux: CVE-2022-22755: Operation on a Resource after Expiration or Release Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was closed. This vulnerability affects Firefox < 97. Solution(s) alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2022-22755 CVE - 2022-22755 https://security.alpinelinux.org/vuln/CVE-2022-22755

Alpine Linux: CVE-2022-22758: Cleartext Transmission of Sensitive Information Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description When clicking on a tel: link, USSD codes, specified after a <code>\*</code> character, would be included in the phone number. On certain phones, or on certain carriers, if the number was dialed this could perform actions on a user's account, similar to a cross-site request forgery attack.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 97. Solution(s) alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2022-22758 CVE - 2022-22758 https://security.alpinelinux.org/vuln/CVE-2022-22758

Alpine Linux: CVE-2022-1834: Improper Certificate Validation Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown with an arbitrary sender email address chosen by the attacker. If the sender name started with a false email address, followed by many Braille space characters, the attacker's email address was not visible. Because Thunderbird compared the invisible sender address with the signature's email address, if the signing key or certificate was accepted by Thunderbird, the email was shown as having a valid digital signature. This vulnerability affects Thunderbird < 91.10. Solution(s) alpine-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-1834 CVE - 2022-1834 https://security.alpinelinux.org/vuln/CVE-2022-1834

Alpine Linux: CVE-2022-22739: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-firefox alpine-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-22739 CVE - 2022-22739 https://security.alpinelinux.org/vuln/CVE-2022-22739

Alpine Linux: CVE-2022-22748: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-firefox alpine-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-22748 CVE - 2022-22748 https://security.alpinelinux.org/vuln/CVE-2022-22748

Alpine Linux: CVE-2022-22744: Improper Encoding or Escaping of Output Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.<br>*This bug only affects Thunderbird for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-firefox alpine-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-22744 CVE - 2022-22744 https://security.alpinelinux.org/vuln/CVE-2022-22744