CVE-2022-46873: 
NixOS vulnerability analysis and mitigation

CVE-2022-46873 is a security vulnerability discovered in Mozilla Firefox versions prior to 108.0, disclosed on December 13, 2022. The vulnerability stems from Firefox's incomplete implementation of the Content Security Policy (CSP) 'unsafe-hashes' directive. This security flaw could potentially allow attackers to inject executable scripts into pages that are otherwise protected by Content Security Policy (Mozilla Advisory, NVD).

The vulnerability occurs because Firefox did not properly implement the 'unsafe-hashes' CSP directive, which is designed to control the execution of inline script event handlers. The issue has a CVSS v3.1 base score of 8.8 (HIGH), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) (NVD).

When exploited, this vulnerability could allow an attacker who successfully injects markup into a page to execute arbitrary script code, even if the page is protected by Content Security Policy. However, the impact would be constrained by the specified Content Security Policy of the document (Mozilla Advisory).

The vulnerability was fixed in Firefox version 108.0. Users and administrators are advised to upgrade to Firefox version 108.0 or later to address this security issue. The fix implements proper handling of the 'unsafe-hashes' CSP directive (Mozilla Advisory, Gentoo Advisory).