[MFSA-2022-19] Security Vulnerabilities fixed in Firefox 100.0.2, Firefox for Android 100.3.0, Firefox ESR 91.9.1, Thunderbird 91.9.1
Severity
Critical
Affected Packages
4
Fixed Packages
4
CVEs
2
CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution (critical)
An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.CVE-2022-1802: Prototype pollution in Top-Level Await implementation (critical)
If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.
| Package | Affected Version |
|---|---|
 pkg:mozilla/Thunderbird
|
< 91.9.1 |
|
pkg:mozilla/Firefox?os=android
|
< 100.3.0 |
|
pkg:mozilla/Firefox%20ESR
|
< 91.9.1 |
|
pkg:mozilla/Firefox
|
< 100.0.2 |
| Package | Fixed Version |
|---|---|
|
pkg:mozilla/Thunderbird
|
= 91.9.1 |
|
pkg:mozilla/Firefox?os=android
|
= 100.3.0 |
|
pkg:mozilla/Firefox%20ESR
|
= 91.9.1 |
|
pkg:mozilla/Firefox
|
= 100.0.2 |
- ID
- MFSA-2022-19
- Severity
- critical
- URL
- https://www.mozilla.org/en-US/security/advisories/mfsa2022-19
- Published
-
2022-05-20T00:00:00
(2 years ago) - Modified
-
2022-05-20T00:00:00
(2 years ago) - Other Advisories
-
-
ALAS2-2022-1804
-
ALPINE:CVE-2022-1529
-
ALPINE:CVE-2022-1802
-
ALSA-2022:4769
-
ALSA-2022:4776
-
DSA-5143-1
-
DSA-5158-1
-
ELSA-2022-4729
-
ELSA-2022-4730
-
ELSA-2022-4765
-
ELSA-2022-4769
-
ELSA-2022-4772
-
ELSA-2022-4776
-
GLSA-202208-08
-
GLSA-202208-14
-
RHSA-2022:4729
-
RHSA-2022:4730
-
RHSA-2022:4765
-
RHSA-2022:4769
-
RHSA-2022:4772
-
RHSA-2022:4776
-
RLSA-2022:4769
-
RLSA-2022:4776
-
SSA:2022-140-01
-
SSA:2022-140-02
-
SUSE-SU-2022:1808-1
-
SUSE-SU-2022:1818-1
-
SUSE-SU-2022:1830-1
-
SUSE-SU-2022:2062-1
-
USN-5434-1
-
USN-5435-1
-
| Source | # ID | Name | URL |
|---|---|---|---|
| Bugzilla | 1770048 |
|
|
| Bugzilla | 1770137 |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:mozilla/Thunderbird |
Thunderbird
|
< 91.9.1 | ||||
| Fixed | pkg:mozilla/Thunderbird |
Thunderbird
|
= 91.9.1 | ||||
| Affected | pkg:mozilla/Firefox?os=android |
Firefox
|
< 100.3.0 | ||||
| Fixed | pkg:mozilla/Firefox?os=android |
Firefox
|
= 100.3.0 | ||||
| Affected | pkg:mozilla/Firefox%20ESR |
Firefox ESR
|
< 91.9.1 | ||||
| Fixed | pkg:mozilla/Firefox%20ESR |
Firefox ESR
|
= 91.9.1 | ||||
| Affected | pkg:mozilla/Firefox |
Firefox
|
< 100.0.2 | ||||
| Fixed | pkg:mozilla/Firefox |
Firefox
|
= 100.0.2 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |