#VU64756 Integer overflow in Mozilla Firefox


Vulnerability identifier: #VU64756

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34481

CWE-ID: CWE-190

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the nsTArray_Impl::ReplaceElementsAt() function. A remote attacker can trick the victim to visit a specially crafted website, trigger an integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 90.0 - 101.0.1

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2022-24/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


openEuler 22.03 LTS SP3 update for mozjs78
openEuler 22.03 LTS SP1 update for mozjs78
openEuler 20.03 LTS SP4 update for mozjs78
Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management Monitoring
Multiple vulnerabilities in IBM Application Performance Management
Multiple vulnerabilities in Pale Moon
Oracle Solaris update for third-party software
SUSE update for MozillaFirefox
SUSE update for MozillaThunderbird
SUSE update for MozillaFirefox