Mozilla Foundation Security Advisory 2022-08

Mozilla VPN local privilege escalation vis uncontrolled OpenSSL search path

Announced
February 23, 2022
Impact
high
Products
Mozilla VPN
Fixed in
  • Mozilla VPN 2.7.1

#CVE-2022-0517: Local privilege escalation vis uncontrolled OpenSSL search path

Reporter
DoHyun Lee (@l33d0hyun) of DNSLab, Korea University
Impact
high
Description

Mozilla VPN can load an OpenSSL configuration file from an unsecured directory. A user or attacker with limited privileges could leverage this to launch arbitrary code with SYSTEM privilege.

References