Vulnerability Description
When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version. This vulnerability affects Firefox < 102.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 102.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1766047Issue TrackingPermissions RequiredVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2022-24/Vendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1766047Issue TrackingPermissions RequiredVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2022-24/Vendor Advisory
FAQ
What is CVE-2022-34471?
CVE-2022-34471 is a vulnerability with a CVSS score of 6.5 (MEDIUM). When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, a...
How severe is CVE-2022-34471?
CVE-2022-34471 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-34471?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox.