Arbitrary Code Execution Vulnerability in Mozilla VPN
CVE-2022-0517

7.8HIGH

Key Information:

Vendor: Mozilla
Status: Mozilla VPN
Vendor: CVE Published:; 22 December 2022

Summary

Mozilla VPN is susceptible to a vulnerability that permits the loading of an OpenSSL configuration file from an unsecured directory. This exposure can potentially be exploited by an attacker or a user with limited privileges to execute arbitrary code with SYSTEM-level permissions. The affected versions include Mozilla VPN prior to 2.7.1, highlighting the critical need for users to upgrade to secure their systems against potential exploitation.

Affected Version(s)

Mozilla VPN < 2.7.1

References

https://www.mozilla.org/security/advisories/mfsa2022-08/

https://bugzilla.mozilla.org/show_bug.cgi?id=1752291

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 22, 2022
Vulnerability Reserved
Feb 7, 2022