[MFSA-2022-19] Security Vulnerabilities fixed in Firefox 100.0.2, Firefox for Android 100.3.0, Firefox ESR 91.9.1, Thunderbird 91.9.1
Severity
Critical
Affected Packages
4
Fixed Packages
4
CVEs
2
CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution (critical)
An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.CVE-2022-1802: Prototype pollution in Top-Level Await implementation (critical)
If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.
Package | Affected Version |
---|---|
pkg:mozilla/Thunderbird | < 91.9.1 |
pkg:mozilla/Firefox?os=android | < 100.3.0 |
pkg:mozilla/Firefox%20ESR | < 91.9.1 |
pkg:mozilla/Firefox | < 100.0.2 |
Package | Fixed Version |
---|---|
pkg:mozilla/Thunderbird | = 91.9.1 |
pkg:mozilla/Firefox?os=android | = 100.3.0 |
pkg:mozilla/Firefox%20ESR | = 91.9.1 |
pkg:mozilla/Firefox | = 100.0.2 |
- ID
- MFSA-2022-19
- Severity
- critical
- URL
- https://www.mozilla.org/en-US/security/advisories/mfsa2022-19
- Published
-
2022-05-20T00:00:00
(2 years ago) - Modified
-
2022-05-20T00:00:00
(2 years ago) - Other Advisories
-
- ALAS2-2022-1804
- ALPINE:CVE-2022-1529
- ALPINE:CVE-2022-1802
- ALSA-2022:4769
- ALSA-2022:4776
- DSA-5143-1
- DSA-5158-1
- ELSA-2022-4729
- ELSA-2022-4730
- ELSA-2022-4765
- ELSA-2022-4769
- ELSA-2022-4772
- ELSA-2022-4776
- GLSA-202208-08
- GLSA-202208-14
- RHSA-2022:4729
- RHSA-2022:4730
- RHSA-2022:4765
- RHSA-2022:4769
- RHSA-2022:4772
- RHSA-2022:4776
- RLSA-2022:4769
- RLSA-2022:4776
- SSA:2022-140-01
- SSA:2022-140-02
- SUSE-SU-2022:1808-1
- SUSE-SU-2022:1818-1
- SUSE-SU-2022:1830-1
- SUSE-SU-2022:2062-1
- USN-5434-1
- USN-5435-1
Source | # ID | Name | URL |
---|---|---|---|
Bugzilla | 1770048 | https://bugzilla.mozilla.org/show_bug.cgi?id=1770048 | |
Bugzilla | 1770137 | https://bugzilla.mozilla.org/show_bug.cgi?id=1770137 |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:mozilla/Thunderbird | Thunderbird | < 91.9.1 | ||||
Fixed | pkg:mozilla/Thunderbird | Thunderbird | = 91.9.1 | ||||
Affected | pkg:mozilla/Firefox?os=android | Firefox | < 100.3.0 | ||||
Fixed | pkg:mozilla/Firefox?os=android | Firefox | = 100.3.0 | ||||
Affected | pkg:mozilla/Firefox%20ESR | Firefox ESR | < 91.9.1 | ||||
Fixed | pkg:mozilla/Firefox%20ESR | Firefox ESR | = 91.9.1 | ||||
Affected | pkg:mozilla/Firefox | Firefox | < 100.0.2 | ||||
Fixed | pkg:mozilla/Firefox | Firefox | = 100.0.2 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |