2022-51 - Mozilla, GitHub Published on December 26, 2022

Advisory Week

Week 51, 2022

National Cyber Awareness System

CISA Releases Four Industrial Control Systems Advisories CISA Releases Six Industrial Control Systems Advisories

Mozilla Security Advisories

Security Vulnerabilities fixed in Thunderbird 102.6.1 mfsa2022-54

Github Security Advisories

[GHSA-6mv3-wm7j-h4w5] Tauri Filesystem Scope Glob Pattern is too Permissive [GHSA-6cq5-8cj7-g558] CodeIgniter4 Potential Session Handlers Vulnerability [GHSA-ghw3-5qvm-3mqc] CodeIgniter4 allows spoofing of IP address when using proxy [GHSA-hjrf-2m68-5959] jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC [GHSA-qwph-4952-7xr6] jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() [GHSA-8cf7-32gw-wr33] jsonwebtoken unrestricted key type could lead to legacy keys usage [GHSA-27h2-hvpr-p74q] jsonwebtoken has insecure input validation in jwt.verify function [GHSA-p82q-rxpm-hjpc] AAD Pod Identity obtaining token with backslash [GHSA-m3cq-xcx9-3gvm] Bypass of verifyImages rule possible with malicious proxy/registry [GHSA-m3q4-7qmj-657m] OpenFGA Authorization Bypass [GHSA-h4q8-96p6-jcgr] ghinstallation returns app JWT in error responses [GHSA-cq2g-pw6q-hf7j] Cortex's Alertmanager can expose local files content via specially crafted config