ISHACK AI BOT

Gentoo Linux: CVE-2022-46871: Mozilla Firefox: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 05/05/2023 Added 05/04/2023 Modified 01/28/2025 Description An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited. This vulnerability affects Firefox < 108. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2022-46871 CVE - 2022-46871 202305-06 202305-13

VMware Photon OS: CVE-2022-45407 Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/22/2022 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description If an attacker loaded a font using <code>FontFace()</code> on a background worker, a use-after-free could have occurred, leading to a potentially exploitable crash. This vulnerability affects Firefox < 107. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2022-45407 CVE - 2022-45407

Alpine Linux: CVE-2022-1097: Use After Free Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/22/2022 Created 04/09/2024 Added 03/26/2024 Modified 10/02/2024 Description <code>NSSToken</code> objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8. Solution(s) alpine-linux-upgrade-nss alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-firefox alpine-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-1097 CVE - 2022-1097 https://security.alpinelinux.org/vuln/CVE-2022-1097

Alpine Linux: CVE-2022-28287: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description In unusual circumstances, selecting text could cause text selection caching to behave incorrectly, leading to a crash. This vulnerability affects Firefox < 99. Solution(s) alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2022-28287 CVE - 2022-28287 https://security.alpinelinux.org/vuln/CVE-2022-28287

Rocky Linux: CVE-2022-42932: thunderbird (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/28/2025 Description Mozilla developers Ashley Hale and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 105 and Firefox ESR 102.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2022-42932 CVE - 2022-42932 https://errata.rockylinux.org/RLSA-2022:7070 https://errata.rockylinux.org/RLSA-2022:7190

Alpine Linux: CVE-2022-1197: Improper Certificate Validation Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation reason, were unaffected. This vulnerability affects Thunderbird < 91.8. Solution(s) alpine-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-1197 CVE - 2022-1197 https://security.alpinelinux.org/vuln/CVE-2022-1197

Gentoo Linux: CVE-2022-38143: OpenImageIO: Multiple Vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 05/31/2023 Added 05/31/2023 Modified 01/28/2025 Description A heap out-of-bounds write vulnerability exists in the way OpenImageIO v2.3.19.0 processes RLE encoded BMP images. A specially-crafted bmp file can write to arbitrary out of bounds memory, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. Solution(s) gentoo-linux-upgrade-media-libs-openimageio References https://attackerkb.com/topics/cve-2022-38143 CVE - 2022-38143 202305-33

Rocky Linux: CVE-2022-45418: firefox (Multiple Advisories) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/28/2025 Description If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2022-45418 CVE - 2022-45418 https://errata.rockylinux.org/RLSA-2022:8547 https://errata.rockylinux.org/RLSA-2022:8554

Ubuntu: (Multiple Advisories) (CVE-2022-22748): Firefox vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 12/22/2022 Created 03/29/2023 Added 03/22/2023 Modified 01/28/2025 Description Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Solution(s) ubuntu-upgrade-firefox ubuntu-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-22748 CVE - 2022-22748 USN-5229-1 USN-5246-1 USN-5248-1

Rocky Linux: CVE-2022-40960: thunderbird (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/28/2025 Description Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2022-40960 CVE - 2022-40960 https://errata.rockylinux.org/RLSA-2022:6702 https://errata.rockylinux.org/RLSA-2022:6708

Rocky Linux: CVE-2022-40959: thunderbird (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/28/2025 Description During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2022-40959 CVE - 2022-40959 https://errata.rockylinux.org/RLSA-2022:6702 https://errata.rockylinux.org/RLSA-2022:6708

Amazon Linux AMI 2: CVE-2022-45414: Security patch for thunderbird (ALAS-2023-1951) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:N) Published 12/22/2022 Created 02/23/2023 Added 02/23/2023 Modified 01/28/2025 Description If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. An image loaded from the POSTER attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targetting releases that did not yet have a fix for CVE-2022-3033 which was reported around three months ago. This vulnerability affects Thunderbird < 102.5.1. Solution(s) amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2022-45414 AL2/ALAS-2023-1951 CVE - 2022-45414

Amazon Linux AMI 2: CVE-2022-46874: Security patch for firefox, thunderbird (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 02/23/2023 Added 02/23/2023 Modified 01/28/2025 Description A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code.<br/>*Note*: This issue was originally included in the advisories for Thunderbird 102.6, but a patch (specific to Thunderbird) was omitted, resulting in it actually being fixed in Thunderbird 102.6.1. This vulnerability affects Firefox < 108, Thunderbird < 102.6.1, Thunderbird < 102.6, and Firefox ESR < 102.6. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2022-46874 AL2/ALAS-2023-1951 AL2/ALASFIREFOX-2023-008 AL2/ALASFIREFOX-2023-013 CVE - 2022-46874

SUSE: CVE-2022-46877: SUSE Linux Security Advisory Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 12/22/2022 Created 01/24/2023 Added 01/23/2023 Modified 01/28/2025 Description By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 108. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2022-46877 CVE - 2022-46877

Ubuntu: USN-5229-1 (CVE-2022-22752): Firefox vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 03/29/2023 Added 03/22/2023 Modified 01/28/2025 Description Mozilla developers Christian Holler and Jason Kratzer reported memory safety bugs present in Firefox 95. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 96. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2022-22752 CVE - 2022-22752 USN-5229-1

Debian: CVE-2022-43599: openimageio -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 05/05/2023 Added 04/06/2023 Modified 01/28/2025 Description Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `xmax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT8` Solution(s) debian-upgrade-openimageio References https://attackerkb.com/topics/cve-2022-43599 CVE - 2022-43599 DLA-3382-1

Debian: CVE-2022-3032: thunderbird -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 12/22/2022 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description When receiving an HTML email that contained an <code>iframe</code> element, which used a <code>srcdoc</code> attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1. Solution(s) debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-3032 CVE - 2022-3032

Ubuntu: (Multiple Advisories) (CVE-2022-2200): Firefox vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 03/29/2023 Added 03/22/2023 Modified 01/28/2025 Description If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. Solution(s) ubuntu-upgrade-firefox ubuntu-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-2200 CVE - 2022-2200 USN-5504-1 USN-5512-1

VMware Photon OS: CVE-2022-42928 Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Certain types of allocations were missing annotations that, if the Garbage Collector was in a specific state, could have lead to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2022-42928 CVE - 2022-42928

VMware Photon OS: CVE-2022-46877 Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 12/22/2022 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 108. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2022-46877 CVE - 2022-46877

VMware Photon OS: CVE-2022-38472 Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 12/22/2022 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2022-38472 CVE - 2022-38472

Ubuntu: USN-5504-1 (CVE-2022-34476): Firefox vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 03/29/2023 Added 03/22/2023 Modified 01/28/2025 Description ASN.1 parsing of an indefinite SEQUENCE inside an indefinite GROUP could have resulted in the parser accepting malformed ASN.1. This vulnerability affects Firefox < 102. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2022-34476 CVE - 2022-34476 USN-5504-1

Ubuntu: (Multiple Advisories) (CVE-2022-34472): Firefox vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 12/22/2022 Created 03/29/2023 Added 03/22/2023 Modified 01/28/2025 Description If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. Solution(s) ubuntu-upgrade-firefox ubuntu-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-34472 CVE - 2022-34472 USN-5504-1 USN-5512-1

Ubuntu: (Multiple Advisories) (CVE-2022-34479): Firefox vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 12/22/2022 Created 03/29/2023 Added 03/22/2023 Modified 01/28/2025 Description A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks. <br>*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. Solution(s) ubuntu-upgrade-firefox ubuntu-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-34479 CVE - 2022-34479 USN-5504-1 USN-5512-1

Ubuntu: USN-5504-1 (CVE-2022-34471): Firefox vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 12/22/2022 Created 03/29/2023 Added 03/22/2023 Modified 01/30/2025 Description When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version. This vulnerability affects Firefox < 102. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2022-34471 CVE - 2022-34471 USN-5504-1