CVE-2022-38164: 
NixOS vulnerability analysis and mitigation

A vulnerability affecting F-Secure SAFE browser for Android and iOS was discovered. The vulnerability (CVE-2022-38164) allows attackers to conduct phishing attacks through URL spoofing, as the browser only displays certain parts of the entire URL. This vulnerability affected F-Secure SAFE browser versions up to and including 19.0 on both Android and iOS platforms (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing) according to CISA-ADP assessment. The technical issue stems from the browser's URL display mechanism, which fails to show the complete URL, making it possible for attackers to craft misleading URLs that appear legitimate (NVD).

The vulnerability enables attackers to conduct phishing attacks by exploiting the browser's incomplete URL display. This could lead to users being deceived about the actual website they are visiting, potentially resulting in credential theft or other forms of social engineering attacks (NVD).

Users should upgrade to versions newer than 19.0 of the F-Secure SAFE browser on both Android and iOS platforms. The vulnerability has been addressed in subsequent releases (F-Secure Advisory).