Anolis OS update for firefox



| Updated: 2025-03-28
Risk High
Patch available YES
Number of vulnerabilities 26
CVE-ID CVE-2021-4140
CVE-2021-32810
CVE-2021-38493
CVE-2021-38496
CVE-2021-38497
CVE-2021-38498
CVE-2021-38500
CVE-2021-38501
CVE-2022-22737
CVE-2022-22738
CVE-2022-22739
CVE-2022-22740
CVE-2022-22741
CVE-2022-22742
CVE-2022-22743
CVE-2022-22745
CVE-2022-22747
CVE-2022-22748
CVE-2022-22751
CVE-2022-22754
CVE-2022-22756
CVE-2022-22759
CVE-2022-22760
CVE-2022-22761
CVE-2022-22763
CVE-2022-22764
CWE-ID CWE-254
CWE-362
CWE-119
CWE-416
CWE-346
CWE-122
CWE-1021
CWE-787
CWE-200
CWE-20
CWE-451
CWE-264
CWE-357
CWE-664
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Anolis OS
Operating systems & Components / Operating system

firefox
Operating systems & Components / Operating system package or component

Vendor OpenAnolis

Security Bulletin

This security bulletin contains information about 26 vulnerabilities.

1) Security features bypass

EUVDB-ID: #VU59373

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-4140

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in iframe sandbox implementation when processing XSLT markup. A remote attacker can bypass iframe sandbox and execute arbitrary JavaScript code in context of arbitrary window.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Race condition

EUVDB-ID: #VU55598

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-32810

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a race condition in the "Stealer::steal", "Stealer::steal_batch" and "Stealer::steal_batch_and_pop" functions. A remote attacker can exploit the race and gain unauthorized access to sensitive information and execute arbitrary code on the system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Buffer overflow

EUVDB-ID: #VU56374

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-38493

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use-after-free

EUVDB-ID: #VU57064

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-38496

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error during operations on MessageTasks. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Origin validation error

EUVDB-ID: #VU57066

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-38497

CWE-ID: CWE-346 - Origin Validation Error

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error, which can cause a plain-text validation message to overlaid on another origin through the use of reportValidity() and window.open(). A remote attacker can perform a spoofing attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Use-after-free

EUVDB-ID: #VU57067

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-38498

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the nsLanguageAtomService object. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Memory corruption

EUVDB-ID: #VU57065

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-38500

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web page, trigger a memory corruption and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Buffer overflow

EUVDB-ID: #VU57068

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-38501

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Use-after-free

EUVDB-ID: #VU59372

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-22737

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a race condition playing audio files. A remote attacker can construct a specially crafted audio skin, trigger a use-after-free error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Heap-based buffer overflow

EUVDB-ID: #VU59371

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-22738

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in blendGaussianBlur when applying CSS filter. A remote attacker can trick the victim to open a specially crafted web page, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Security features bypass

EUVDB-ID: #VU59381

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-22739

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to missing throttling on external protocol launch dialog. A malicious websites can trick users into accepting launching a program to handle an external URL protocol.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Use-after-free

EUVDB-ID: #VU59370

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-22740

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in ChannelEventQueue::mOwner when releasing a network request handle. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Improper Restriction of Rendered UI Layers or Frames

EUVDB-ID: #VU59369

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-22741

CWE-ID: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error resizing a popup while requesting fullscreen access. A remote attacker can trick the victim to open a specially crafted web page,  and make the browser unable to leave fullscreen mode.

Successful exploitation of the vulnerability may allow an attacker to perform spoofing attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Out-of-bounds write

EUVDB-ID: #VU59368

Risk: Medium

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-22742

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input, when inserting text while in edit mode. A remote attacker can create a specially crafted website, trick the victim into opening it and insert specially crafted input in the edit mode, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Improper Restriction of Rendered UI Layers or Frames

EUVDB-ID: #VU59367

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-22743

CWE-ID: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error when navigating from inside an iframe while requesting fullscreen access. A remote attacker can trick the victim to open a specially crafted web page,  and make the browser unable to leave fullscreen mode.

Successful exploitation of the vulnerability may allow an attacker to perform spoofing attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Information disclosure

EUVDB-ID: #VU59377

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-22745

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to Securitypolicyviolation events leak cross-origin information for frame-ancestors violations. A remote attacker can gain access to sensitive data.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Input validation error

EUVDB-ID: #VU59379

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-22747

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of empty pkcs7 sequence, passed as part of the certificate data. A remote attacker can pass specially crafted certificate to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Spoofing attack

EUVDB-ID: #VU59376

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-22748

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Buffer overflow

EUVDB-ID: #VU59382

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-22751

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Security restrictions bypass

EUVDB-ID: #VU60395

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-22754

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists in the way Firefox handles extensions updates. A remote attacker can trick the victim to install a browser extension of a particular type and during auto-update bypass the prompt which grants the new version the new requested permissions. As a result an extension with limited permissions can be used to compromise the system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Insufficient UI Warning of Dangerous Operations

EUVDB-ID: #VU60398

Risk: Medium

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-22756

CWE-ID: CWE-357 - Insufficient UI Warning of Dangerous Operations

Exploit availability: No

Description

The vulnerability allows a remote attacker execute arbitrary code.

The vulnerability exists due to browser fails to properly identify a malicious file during drag and drop operations. A remote attacker can trick the victim to drag and drop an image to their desktop or other folder and change the resulting object into an executable script which will be executed after the user clicked on it.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Sandbox restrictions bypass

EUVDB-ID: #VU60406

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-22759

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the way iframes are handled by the browser. If a document created a sandboxed iframe without allow-scripts, and subsequently appended an element to the iframe's document that e.g. had a JavaScript event handler - the event handler would have run despite the iframe's sandbox.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Information disclosure

EUVDB-ID: #VU60409

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-22760

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the way Firefox displays error messages in cross-origin responses, when importing resources using Web Workers. A remote attacker can distinguish the difference between application/javascript responses and non-script responses and learn information cross-origin.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Security features bypass

EUVDB-ID: #VU60411

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-22761

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform unauthorized actions.

The vulnerability exists due to frame-ancestors Content Security Policy directive was not enforced for framed extension pages (pages with a moz-extension:// scheme). A remote attacker perform unauthorized actions.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Improper control of a resource through its lifetime

EUVDB-ID: #VU60414

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-22763

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error when handling script execution during invalid object state. A remote attacker can cause a script to run late in the lifecycle, at a point after where it should not be possible.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Buffer overflow

EUVDB-ID: #VU60413

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-22764

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

firefox: before 91.6.0-1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###