ISHACK AI BOT

Alpine Linux: CVE-2022-42928: NULL Pointer Dereference Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Certain types of allocations were missing annotations that, if the Garbage Collector was in a specific state, could have lead to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4. Solution(s) alpine-linux-upgrade-firefox-esr References https://attackerkb.com/topics/cve-2022-42928 CVE - 2022-42928 https://security.alpinelinux.org/vuln/CVE-2022-42928

Rocky Linux: CVE-2022-46881: firefox (RLSA-2022-9067) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/28/2025 Description An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash. *Note*: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 106. This vulnerability affects Firefox < 106, Firefox ESR < 102.6, and Thunderbird < 102.6. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource References https://attackerkb.com/topics/cve-2022-46881 CVE - 2022-46881 https://errata.rockylinux.org/RLSA-2022:9067

Alpine Linux: CVE-2022-34479: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks. <br>*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-thunderbird alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2022-34479 CVE - 2022-34479 https://security.alpinelinux.org/vuln/CVE-2022-34479

Rocky Linux: CVE-2022-40957: thunderbird (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/28/2025 Description Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash.<br>*This bug only affects Firefox on ARM64 platforms.*. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2022-40957 CVE - 2022-40957 https://errata.rockylinux.org/RLSA-2022:6702 https://errata.rockylinux.org/RLSA-2022:6708

Rocky Linux: CVE-2022-40962: thunderbird (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/28/2025 Description Mozilla developers Nika Layzell, Timothy Nikkel, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2022-40962 CVE - 2022-40962 https://errata.rockylinux.org/RLSA-2022:6702 https://errata.rockylinux.org/RLSA-2022:6708

Rocky Linux: CVE-2022-45411: firefox (Multiple Advisories) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/28/2025 Description Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on <code>fetch()</code> and XMLHttpRequest; however some webservers have implemented non-standard headers such as <code>X-Http-Method-Override</code> that override the HTTP method, and made this attack possible again. Thunderbird has applied the same mitigations to the use of this and similar headers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2022-45411 CVE - 2022-45411 https://errata.rockylinux.org/RLSA-2022:8547 https://errata.rockylinux.org/RLSA-2022:8554

Alpine Linux: CVE-2022-38476: Use After Free Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description A data race could occur in the <code>PK11_ChangePW</code> function, potentially leading to a use-after-free vulnerability. In Firefox, this lock protected the data when a user changed their master password. This vulnerability affects Firefox ESR < 102.2 and Thunderbird < 102.2. Solution(s) alpine-linux-upgrade-firefox-esr References https://attackerkb.com/topics/cve-2022-38476 CVE - 2022-38476 https://security.alpinelinux.org/vuln/CVE-2022-38476

Rocky Linux: CVE-2022-46874: firefox (RLSA-2022-9067) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/28/2025 Description A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code.<br/>*Note*: This issue was originally included in the advisories for Thunderbird 102.6, but a patch (specific to Thunderbird) was omitted, resulting in it actually being fixed in Thunderbird 102.6.1. This vulnerability affects Firefox < 108, Thunderbird < 102.6.1, Thunderbird < 102.6, and Firefox ESR < 102.6. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource References https://attackerkb.com/topics/cve-2022-46874 CVE - 2022-46874 https://errata.rockylinux.org/RLSA-2022:9067

Rocky Linux: CVE-2022-36318: firefox (Multiple Advisories) Severity 5 CVSS (AV:N/AC:H/Au:N/C:C/I:N/A:N) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/28/2025 Description When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2022-36318 CVE - 2022-36318 https://errata.rockylinux.org/RLSA-2022:5774 https://errata.rockylinux.org/RLSA-2022:5777

Rocky Linux: CVE-2022-45416: firefox (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/30/2025 Description Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2022-45416 CVE - 2022-45416 https://errata.rockylinux.org/RLSA-2022:8547 https://errata.rockylinux.org/RLSA-2022:8554

Rocky Linux: CVE-2022-45406: firefox (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/28/2025 Description If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2022-45406 CVE - 2022-45406 https://errata.rockylinux.org/RLSA-2022:8547 https://errata.rockylinux.org/RLSA-2022:8554

Gentoo Linux: CVE-2022-43592: OpenImageIO: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 12/22/2022 Created 05/31/2023 Added 05/31/2023 Modified 01/28/2025 Description An information disclosure vulnerability exists in the DPXOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to leaked heap data. An attacker can provide malicious input to trigger this vulnerability. Solution(s) gentoo-linux-upgrade-media-libs-openimageio References https://attackerkb.com/topics/cve-2022-43592 CVE - 2022-43592 202305-33

Rocky Linux: CVE-2022-45410: firefox (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/28/2025 Description When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2022-45410 CVE - 2022-45410 https://errata.rockylinux.org/RLSA-2022:8547 https://errata.rockylinux.org/RLSA-2022:8554

Rocky Linux: CVE-2022-45405: firefox (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/30/2025 Description Freeing arbitrary <code>nsIInputStream</code>'s on a different thread than creation could have led to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2022-45405 CVE - 2022-45405 https://errata.rockylinux.org/RLSA-2022:8547 https://errata.rockylinux.org/RLSA-2022:8554

Gentoo Linux: CVE-2022-43596: OpenImageIO: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 12/22/2022 Created 05/31/2023 Added 05/31/2023 Modified 01/28/2025 Description An information disclosure vulnerability exists in the IFFOutput channel interleaving functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to leaked heap data. An attacker can provide malicious input to trigger this vulnerability. Solution(s) gentoo-linux-upgrade-media-libs-openimageio References https://attackerkb.com/topics/cve-2022-43596 CVE - 2022-43596 202305-33

Gentoo Linux: CVE-2022-43595: OpenImageIO: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/22/2022 Created 05/31/2023 Added 05/31/2023 Modified 01/28/2025 Description Multiple denial of service vulnerabilities exist in the image output closing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially crafted ImageOutput Objects can lead to multiple null pointer dereferences. An attacker can provide malicious multiple inputs to trigger these vulnerabilities.This vulnerability applies to writing .fits files. Solution(s) gentoo-linux-upgrade-media-libs-openimageio References https://attackerkb.com/topics/cve-2022-43595 CVE - 2022-43595 202305-33

Rocky Linux: CVE-2022-45403: firefox (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/28/2025 Description Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2022-45403 CVE - 2022-45403 https://errata.rockylinux.org/RLSA-2022:8547 https://errata.rockylinux.org/RLSA-2022:8554

Alpine Linux: CVE-2022-29909: Incorrect Default Permissions Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-firefox alpine-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-29909 CVE - 2022-29909 https://security.alpinelinux.org/vuln/CVE-2022-29909

JetBrains IntelliJ IDEA: CVE-2022-47895: The "Validate JSP File" action used the HTTP protocol to download required JAR files (IDEA-305732) Severity 4 CVSS (AV:N/AC:H/Au:N/C:P/I:P/A:N) Published 12/22/2022 Created 01/31/2025 Added 01/29/2025 Modified 02/05/2025 Description In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files. Solution(s) jetbrains-intellij-idea-upgrade-latest References https://attackerkb.com/topics/cve-2022-47895 CVE - 2022-47895 https://www.jetbrains.com/privacy-security/issues-fixed/

Gentoo Linux: CVE-2022-41988: OpenImageIO: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/22/2022 Created 05/31/2023 Added 05/31/2023 Modified 01/28/2025 Description An information disclosure vulnerability exists in the OpenImageIO::decode_iptc_iim() functionality of OpenImageIO Project OpenImageIO v2.3.19.0. A specially-crafted TIFF file can lead to a disclosure of sensitive information. An attacker can provide a malicious file to trigger this vulnerability. Solution(s) gentoo-linux-upgrade-media-libs-openimageio References https://attackerkb.com/topics/cve-2022-41988 CVE - 2022-41988 202305-33

Alpine Linux: CVE-2022-29918: Out-of-bounds Write Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Mozilla developers Gabriele Svelto, Randell Jesup and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 100. Solution(s) alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2022-29918 CVE - 2022-29918 https://security.alpinelinux.org/vuln/CVE-2022-29918

Alpine Linux: CVE-2022-34485: Out-of-bounds Write Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Mozilla developers Bryce Seager van Dyk and the Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 102. Solution(s) alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2022-34485 CVE - 2022-34485 https://security.alpinelinux.org/vuln/CVE-2022-34485

Debian: CVE-2022-41794: openimageio -- security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 05/05/2023 Added 04/11/2023 Modified 01/28/2025 Description A heap based buffer overflow vulnerability exists in the PSD thumbnail resource parsing code of OpenImageIO 2.3.19.0. A specially-crafted PSD file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. Solution(s) debian-upgrade-openimageio References https://attackerkb.com/topics/cve-2022-41794 CVE - 2022-41794 DSA-5384-1

Alpine Linux: CVE-2022-36315: Vulnerability in Multiple Components Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description When loading a script with Subresource Integrity, attackers with an injection capability could trigger the reuse of previously cached entries with incorrect, different integrity metadata. This vulnerability affects Firefox < 103. Solution(s) alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2022-36315 CVE - 2022-36315 https://security.alpinelinux.org/vuln/CVE-2022-36315

Debian: CVE-2022-3266: firefox-esr, thunderbird -- security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 12/22/2022 Created 12/28/2022 Added 12/28/2022 Modified 01/28/2025 Description An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-3266 CVE - 2022-3266 DLA-3121-1 DLA-3123-1 DSA-5237-1 DSA-5238-1