{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-22747", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "dateUpdated": "2024-08-03T03:21:49.118Z", "dateReserved": "2022-01-07T00:00:00", "datePublished": "2022-12-22T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2022-12-22T00:00:00"}, "descriptions": [{"lang": "en", "value": "After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5."}], "affected": [{"vendor": "Mozilla", "product": "Firefox ESR", "versions": [{"version": "unspecified", "lessThan": "91.5", "status": "affected", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Firefox", "versions": [{"version": "unspecified", "lessThan": "96", "status": "affected", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"version": "unspecified", "lessThan": "91.5", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-01/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-02/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-03/"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1735028"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Crash when handling empty pkcs7 sequence"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:21:49.118Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-01/", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-02/", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-03/", "tags": ["x_transferred"]}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1735028", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "473CF696-0664-4239-995D-D4700507DD1A", "versionEndExcluding": "96.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8FD4DD9-9B65-49B3-9FED-6FF5085489D2", "versionEndExcluding": "91.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1A101E0-2173-4299-8F05-F325DCDC804B", "versionEndExcluding": "91.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5."}, {"lang": "es", "value": "Despu\u00e9s de aceptar un certificado que no es de confianza, manejar una secuencia pkcs7 vac\u00eda como parte de los datos del certificado podr\u00eda haber provocado un bloqueo. Se cree que este accidente no es explotable. Esta vulnerabilidad afecta a Firefox ESR &lt; 91.5, Firefox &lt; 96 y Thunderbird &lt; 91.5."}], "id": "CVE-2022-22747", "lastModified": "2022-12-29T23:17:04.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-22T20:15:16.087", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1735028"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-02/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-03/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:0124", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "firefox-0:91.5.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-01-12T00:00:00Z"}, {"advisory": "RHSA-2022:0127", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:91.5.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-01-12T00:00:00Z"}, {"advisory": "RHSA-2022:0129", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:91.5.0-1.el8_5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-01-12T00:00:00Z"}, {"advisory": "RHSA-2022:0130", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:91.5.0-1.el8_5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-01-12T00:00:00Z"}, {"advisory": "RHSA-2022:0125", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "firefox-0:91.5.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-01-12T00:00:00Z"}, {"advisory": "RHSA-2022:0131", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "thunderbird-0:91.5.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-01-12T00:00:00Z"}, {"advisory": "RHSA-2022:0123", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "thunderbird-0:91.5.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-01-12T00:00:00Z"}, {"advisory": "RHSA-2022:0132", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "firefox-0:91.5.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-01-12T00:00:00Z"}, {"advisory": "RHSA-2022:0126", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "firefox-0:91.5.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-01-12T00:00:00Z"}, {"advisory": "RHSA-2022:0128", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "thunderbird-0:91.5.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-01-12T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Crash when handling empty pkcs7 sequence", "id": "2039572", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039572"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-476", "details": ["After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.", "The Mozilla Foundation Security Advisory describes this flaw as: After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable."], "name": "CVE-2022-22747", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2022-01-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-22747\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-22747\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-02/#CVE-2022-22747\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2022-22747"], "threat_severity": "Low", "upstream_fix": "thunderbird 91.5, firefox 91.5"}