Mozilla Foundation Security Advisory 2022-08
Mozilla VPN local privilege escalation vis uncontrolled OpenSSL search path
- Announced
- February 23, 2022
- Impact
- high
- Products
- Mozilla VPN
- Fixed in
-
- Mozilla VPN 2.7.1
#CVE-2022-0517: Local privilege escalation vis uncontrolled OpenSSL search path
- Reporter
- DoHyun Lee (@l33d0hyun) of DNSLab, Korea University
- Impact
- high
Description
Mozilla VPN can load an OpenSSL configuration file from an unsecured directory. A user or attacker with limited privileges could leverage this to launch arbitrary code with SYSTEM privilege.