CVE-2022-22744: Command Injection

Reference Links

• https://bugzilla.mozilla.org/show_bug.cgi?id=1737252
• https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/
• https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
• https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/
• https://www.mozilla.org/security/advisories/mfsa2022-01/
• https://www.mozilla.org/security/advisories/mfsa2022-02/
• https://www.mozilla.org/security/advisories/mfsa2022-03/

Parent vulnerabilities

(Appears in the following advisories)

• MFSA2022-03
• MFSA2022-01
• MFSA2022-02

Peer vulnerabilities

(Found alongside the following vulnerabilities)

• CVE-2022-22746
• CVE-2022-22743
• CVE-2022-22742
• CVE-2022-22741
• CVE-2022-22740
• CVE-2022-22738
• CVE-2022-22737
• CVE-2021-4140
• CVE-2022-22748
• CVE-2022-22745
• CVE-2022-22744
• CVE-2022-22747
• CVE-2022-22739
• CVE-2022-22751
• CVE-2022-22750
• CVE-2022-22749
• CVE-2022-22763
• CVE-2022-22736
• CVE-2022-22752

Frequently Asked Questions

• What is the severity of CVE-2022-22744?

  CVE-2022-22744 is classified as a critical vulnerability due to its potential for command injection in PowerShell.

• How do I fix CVE-2022-22744?

  To mitigate CVE-2022-22744, users should upgrade to Firefox ESR version 91.5 or Firefox version 96 and ensure all software is updated.

• Who is affected by CVE-2022-22744?

  CVE-2022-22744 primarily affects Firefox and Thunderbird users on Windows operating systems.

• What does CVE-2022-22744 exploit?

  CVE-2022-22744 exploits the "Copy as curl" feature in DevTools where the constructed curl command is not properly escaped.

• Is CVE-2022-22744 limited to specific versions?

  Yes, CVE-2022-22744 affects Firefox versions up to 96 and Firefox ESR versions up to 91.5.