CVE-2022-1802
Publication date 23 May 2022
Last updated 24 July 2024
Ubuntu priority
If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| firefox | ||
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Fixed 100.0.2+build1-0ubuntu0.20.04.1
|
|
| 18.04 LTS bionic |
Fixed 100.0.2+build1-0ubuntu0.18.04.1
|
|
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Not in release | |
| thunderbird | ||
| 22.04 LTS jammy |
Fixed 1:91.9.1+build1-0ubuntu0.22.04.1
|
|
| 20.04 LTS focal |
Fixed 1:91.9.1+build1-0ubuntu0.20.04.1
|
|
| 18.04 LTS bionic |
Fixed 1:91.9.1+build1-0ubuntu0.18.04.1
|
|
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Not in release |
Notes
mdeslaur
starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.8 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-5434-1
- Firefox vulnerabilities
- 23 May 2022
- USN-5435-1
- Thunderbird vulnerabilities
- 25 May 2022