Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Affecting thunderbird package, versions <1:91.10.0-1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN12-THUNDERBIRD-2841254
- published 21 May 2022
- disclosed 22 Dec 2022
Introduced: 21 May 2022
CVE-2022-1529 Open this link in a new tabHow to fix?
Upgrade Debian:12 thunderbird to version 1:91.10.0-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream thunderbird package and not the thunderbird package as distributed by Debian.
See How to fix? for Debian:12 relevant fixed versions and status.
An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.