{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-1529", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "dateUpdated": "2025-04-16T15:19:47.119Z", "dateReserved": "2022-04-29T00:00:00.000Z", "datePublished": "2022-12-22T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2022-12-22T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1."}], "affected": [{"vendor": "Mozilla", "product": "Firefox ESR", "versions": [{"version": "unspecified", "lessThan": "91.9.1", "status": "affected", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Firefox", "versions": [{"version": "unspecified", "lessThan": "100.0.2", "status": "affected", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Firefox for Android", "versions": [{"version": "unspecified", "lessThan": "100.3.0", "status": "affected", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"version": "unspecified", "lessThan": "91.9.1", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-19/"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1770048"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Untrusted input used in JavaScript object indexing, leading to prototype pollution"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:10:03.467Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-19/", "tags": ["x_transferred"]}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1770048", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1321", "lang": "en", "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T15:19:19.148657Z", "id": "CVE-2022-1529", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T15:19:47.119Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-19/", "tags": ["x_transferred"]}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1770048", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:10:03.467Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-1529", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-16T15:19:19.148657Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T15:19:42.678Z"}}], "cna": {"affected": [{"vendor": "Mozilla", "product": "Firefox ESR", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "91.9.1", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "100.0.2", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Firefox for Android", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "100.3.0", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "91.9.1", "versionType": "custom"}]}], "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-19/"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1770048"}], "descriptions": [{"lang": "en", "value": "An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Untrusted input used in JavaScript object indexing, leading to prototype pollution"}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2022-12-22T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-1529", "state": "PUBLISHED", "dateUpdated": "2025-04-16T15:19:47.119Z", "dateReserved": "2022-04-29T00:00:00.000Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2022-12-22T00:00:00.000Z", "assignerShortName": "mozilla"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "62D778FE-BC8B-4D82-887C-F647BF6D3600", "versionEndExcluding": "100.0.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E42B5379-88D5-4CFB-BF6D-3AECA5AF4E4B", "versionEndExcluding": "91.9.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "177907AF-0268-4DDE-9F7E-57D87C9B8417", "versionEndExcluding": "91.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBAC048A-B655-4B3F-B57E-E29CFB5EC3D3", "versionEndExcluding": "100.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1."}, {"lang": "es", "value": "Un atacante podr\u00eda haber enviado un mensaje al proceso principal donde el contenido se us\u00f3 para realizar un doble \u00edndice en un objeto JavaScript, lo que provoc\u00f3 la contaminaci\u00f3n del prototipo y, en \u00faltima instancia, la ejecuci\u00f3n de JavaScript controlada por el atacante en el proceso principal privilegiado. Esta vulnerabilidad afecta a Firefox ESR &lt; 91.9.1, Firefox &lt; 100.0.2, Firefox para Android &lt; 100.3.0 y Thunderbird &lt; 91.9.1."}], "id": "CVE-2022-1529", "lastModified": "2025-04-16T16:15:20.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-12-22T20:15:13.327", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1770048"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-19/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1770048"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-19/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1321"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:4729", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "firefox-0:91.9.1-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-05-24T00:00:00Z"}, {"advisory": "RHSA-2022:4730", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:91.9.1-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-05-24T00:00:00Z"}, {"advisory": "RHSA-2022:4769", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:91.9.1-1.el8_6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-27T00:00:00Z"}, {"advisory": "RHSA-2022:4776", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:91.9.1-1.el8_6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-27T00:00:00Z"}, {"advisory": "RHSA-2022:4767", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "firefox-0:91.9.1-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-05-27T00:00:00Z"}, {"advisory": "RHSA-2022:4770", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "thunderbird-0:91.9.1-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-05-27T00:00:00Z"}, {"advisory": "RHSA-2022:4768", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "firefox-0:91.9.1-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-05-27T00:00:00Z"}, {"advisory": "RHSA-2022:4773", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "thunderbird-0:91.9.1-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-05-26T00:00:00Z"}, {"advisory": "RHSA-2022:4766", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "firefox-0:91.9.1-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-05-27T00:00:00Z"}, {"advisory": "RHSA-2022:4774", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "thunderbird-0:91.9.1-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-05-27T00:00:00Z"}, {"advisory": "RHSA-2022:4765", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:91.9.1-1.el9_0", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-05-27T00:00:00Z"}, {"advisory": "RHSA-2022:4772", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:91.9.1-1.el9_0", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-05-27T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Untrusted input used in JavaScript object indexing, leading to prototype pollution", "id": "2089218", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2089218"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-843", "details": ["An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.", "The Mozilla Foundation Security Advisory describes this flaw as: An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process."], "name": "CVE-2022-1529", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2022-05-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-1529\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1529\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-19/#CVE-2022-1529"], "threat_severity": "Critical"}