CVE-2022-42931

Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk. Instead, the username (not password) was saved by the Form Manager to an unencrypted file on disk. This vulnerability affects Firefox < 106.

CVSS v3 3.3 LOW

3.3^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1780571	Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2022-44/	Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1780571	Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2022-44/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:25

Type	Values Removed	Values Added
References	~~() https://bugzilla.mozilla.org/show_bug.cgi?id=1780571 - Issue Tracking~~	() https://bugzilla.mozilla.org/show_bug.cgi?id=1780571 - Issue Tracking
References	~~() https://www.mozilla.org/security/advisories/mfsa2022-44/ - Vendor Advisory~~	() https://www.mozilla.org/security/advisories/mfsa2022-44/ - Vendor Advisory

08 Aug 2023, 14:22

Type	Values Removed	Values Added
CWE	~~CWE-922~~	CWE-312

Information

Published : 2022-12-22 20:15

Updated : 2024-11-21 07:25

NVD link : CVE-2022-42931

Mitre link : CVE-2022-42931

CVE.ORG link : CVE-2022-42931

JSON object : View

Products Affected

mozilla

firefox

CWE

CWE-312

Cleartext Storage of Sensitive Information

{"id": "CVE-2022-42931", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2022-12-22T20:15:41.083", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1780571", "tags": ["Issue Tracking"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-44/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1780571", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-44/", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk. Instead, the username (not password) was saved by the Form Manager to an unencrypted file on disk. This vulnerability affects Firefox < 106."}, {"lang": "es", "value": "Los inicios de sesi\u00f3n guardados por Firefox deben ser administrados por el componente Administrador de contrase\u00f1as, que utiliza cifrado para guardar archivos en el disco. En cambio, el Administrador de formularios guard\u00f3 el nombre de usuario (no la contrase\u00f1a) en un archivo no cifrado en el disco. Esta vulnerabilidad afecta a Firefox < 106."}], "lastModified": "2024-11-21T07:25:37.083", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "181587B4-3F8B-4B6F-8791-0323506EC07F", "versionEndExcluding": "106.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}