{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-1529", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "dateUpdated": "2022-12-22T00:00:00", "dateReserved": "2022-04-29T00:00:00", "datePublished": "2022-12-22T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2022-12-22T00:00:00"}, "descriptions": [{"lang": "en", "value": "An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1."}], "affected": [{"vendor": "Mozilla", "product": "Firefox ESR", "versions": [{"version": "unspecified", "lessThan": "91.9.1", "status": "affected", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Firefox", "versions": [{"version": "unspecified", "lessThan": "100.0.2", "status": "affected", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Firefox for Android", "versions": [{"version": "unspecified", "lessThan": "100.3.0", "status": "affected", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"version": "unspecified", "lessThan": "91.9.1", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-19/"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1770048"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Untrusted input used in JavaScript object indexing, leading to prototype pollution"}]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "62D778FE-BC8B-4D82-887C-F647BF6D3600", "versionEndExcluding": "100.0.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E42B5379-88D5-4CFB-BF6D-3AECA5AF4E4B", "versionEndExcluding": "91.9.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "177907AF-0268-4DDE-9F7E-57D87C9B8417", "versionEndExcluding": "91.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBAC048A-B655-4B3F-B57E-E29CFB5EC3D3", "versionEndExcluding": "100.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1."}, {"lang": "es", "value": "Un atacante podr\u00eda haber enviado un mensaje al proceso principal donde el contenido se us\u00f3 para realizar un doble \u00edndice en un objeto JavaScript, lo que provoc\u00f3 la contaminaci\u00f3n del prototipo y, en \u00faltima instancia, la ejecuci\u00f3n de JavaScript controlada por el atacante en el proceso principal privilegiado. Esta vulnerabilidad afecta a Firefox ESR &lt; 91.9.1, Firefox &lt; 100.0.2, Firefox para Android &lt; 100.3.0 y Thunderbird &lt; 91.9.1."}], "id": "CVE-2022-1529", "lastModified": "2022-12-29T16:41:34.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-22T20:15:13.327", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1770048"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-19/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}