Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Affecting firefox package, versions <100.0.2-1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIANUNSTABLE-FIREFOX-2841207
- published 21 May 2022
- disclosed 22 Dec 2022
Introduced: 21 May 2022
CVE-2022-1529 Open this link in a new tabHow to fix?
Upgrade Debian:unstable
firefox
to version 100.0.2-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream firefox
package and not the firefox
package as distributed by Debian
.
See How to fix?
for Debian:unstable
relevant fixed versions and status.
An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.