CVE-2022-38472
Publication date 24 August 2022
Last updated 24 July 2024
Ubuntu priority
An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| firefox | ||
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Fixed 104.0+build3-0ubuntu0.20.04.1
|
|
| 18.04 LTS bionic |
Fixed 104.0+build3-0ubuntu0.18.04.1
|
|
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Not in release | |
| thunderbird | ||
| 22.04 LTS jammy |
Fixed 1:102.2.2+build1-0ubuntu0.22.04.1
|
|
| 20.04 LTS focal |
Fixed 1:102.2.2+build1-0ubuntu0.20.04.1
|
|
| 18.04 LTS bionic |
Fixed 1:102.2.2+build1-0ubuntu0.18.04.1
|
|
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Not in release |
Notes
mdeslaur
starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-5581-1
- Firefox vulnerabilities
- 24 August 2022
- USN-5663-1
- Thunderbird vulnerabilities
- 7 October 2022