CVE-2022-2200

Published on: Not Yet Published

Last Modified on: 01/03/2023 08:14:00 PM UTC

CVE-2022-2200

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Certain versions of Firefox from Mozilla contain the following vulnerability:

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

CVE-2022-2200 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.
Affected Vendor/Software: Mozilla - Firefox version < 102
Affected Vendor/Software: Mozilla - Firefox ESR version < 91.11
Affected Vendor/Software: Mozilla - Thunderbird version < 102
Affected Vendor/Software: Mozilla - Thunderbird version < 91.11

CVSS3 Score: 8.8 - HIGH

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	LOW	NONE	REQUIRED
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	HIGH	HIGH	HIGH

CVE References

Description	Tags ^ⓘ	Link
Security Vulnerabilities fixed in Thunderbird 91.11 and Thunderbird 102 — Mozilla	www.mozilla.org text/html	MISC www.mozilla.org/security/advisories/mfsa2022-26/
Security Vulnerabilities fixed in Firefox 102 — Mozilla	www.mozilla.org text/html	MISC www.mozilla.org/security/advisories/mfsa2022-24/
Security Vulnerabilities fixed in Firefox ESR 91.11 — Mozilla	www.mozilla.org text/html	MISC www.mozilla.org/security/advisories/mfsa2022-25/
Access Denied	bugzilla.mozilla.org text/html	MISC bugzilla.mozilla.org/show_bug.cgi?id=1771381

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

159951 Oracle Enterprise Linux Security Update for firefox (ELSA-2022-5469)
159952 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-5480)
159954 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-5470)
159955 Oracle Enterprise Linux Security Update for firefox (ELSA-2022-5479)
159963 Oracle Enterprise Linux Security Update for firefox (ELSA-2022-5481)
159964 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-5482)
179976 Debian Security Update for firefox-esr (DSA 5172-1)
180180 Debian Security Update for firefox-esr (DLA 3064-1)
180807 Debian Security Update for thunderbird (DSA 5175-1)
198849 Ubuntu Security Notification for Firefox Vulnerabilities (USN-5504-1)
198859 Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-5512-1)
240507 Red Hat Update for thunderbird (RHSA-2022:5473)
240512 Red Hat Update for firefox (RHSA-2022:5469)
240513 Red Hat Update for firefox (RHSA-2022:5472)
240515 Red Hat Update for thunderbird (RHSA-2022:5470)
240517 Red Hat Update for firefox (RHSA-2022:5481)
240519 Red Hat Update for thunderbird (RHSA-2022:5480)
240520 Red Hat Update for firefox (RHSA-2022:5479)
240521 Red Hat Update for firefox (RHSA-2022:5474)
240525 Red Hat Update for thunderbird (RHSA-2022:5475)
240526 Red Hat Update for thunderbird (RHSA-2022:5482)
257173 CentOS Security Update for firefox (CESA-2022:5479)
257175 CentOS Security Update for thunderbird (CESA-2022:5480)
296082 Oracle Solaris 11.4 Support Repository Update (SRU) 48.126.1 Missing (CPUJUL2022)
354760 Amazon Linux Security Advisory for thunderbird : ALAS2-2023-1951
376705 Mozilla Firefox Multiple Vulnerabilities (MFSA2022-24)
376706 Mozilla Firefox ESR Multiple Vulnerabilities (MFSA2022-25)
376707 Mozilla Thunderbird Multiple Vulnerabilities (MFSA2022-26)
502285 Alpine Linux Security Update for firefox-esr
502406 Alpine Linux Security Update for thunderbird
502853 Alpine Linux Security Update for firefox
502957 Alpine Linux Security Update for thunderbird
502958 Alpine Linux Security Update for thunderbird
710582 Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 202208-08)
710585 Gentoo Linux Mozilla Thunderbird Multiple Vulnerabilities (GLSA 202208-14)
752304 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:2279-1)
752306 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:2289-1)
752316 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:2313-1)
752583 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:3273-1)
752590 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:3272-1)
752611 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:3396-1)
753189 SUSE Enterprise Linux Security Update for MozillaThunderbird (SUSE-SU-2022:3281-1)
753371 SUSE Enterprise Linux Security Update for MozillaThunderbird (SUSE-SU-2022:2320-1)
940630 AlmaLinux Security Update for thunderbird (ALSA-2022:5482)
960144 Rocky Linux Security Update for firefox (RLSA-2022:5469)
960153 Rocky Linux Security Update for thunderbird (RLSA-2022:5470)

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Mozilla	Firefox	All	All	All	All
Application	Mozilla	Firefox Esr	All	All	All	All
Application	Mozilla	Thunderbird	All	All	All	All

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*:
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*:
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE

Social Mentions

Source	Title	Posted (UTC)
@RedPacketSec	Mozilla Firefox code execution \| CVE-2022-2200 - redpacketsecurity.com/mozilla-firefo… #CVE #Vulnerability #OSINT #ThreatIntel #Cyber	2022-06-29 09:02:15
@mistymntncop	Looks like CVE-2022-1529 was used to exploit CVE-2022-2200 "Undesired attributes could be set as part of prototype… twitter.com/i/web/status/1…	2022-08-12 00:58:00
@mistymntncop	One bug away from a full chain, CVE-2022-2200 I think. Annoyingly I haven't figured out how to reach it yet as ther… twitter.com/i/web/status/1…	2022-08-23 09:57:00
@mistymntncop	CVE-2022-2200 added to the chain. Full chain complete RCE + SBX :-). Shout out to @_manfp, @hosselot and the good f… twitter.com/i/web/status/1…	2022-08-23 23:01:59
@ipssignatures	The vuln CVE-2022-2200 has a tweet created 0 days ago and retweeted 11 times. twitter.com/mistymntncop/s… #pow1rtrtwwcve	2022-08-24 06:06:00
@CVEtrends	Top 3 trending CVEs on Twitter Past 24 hrs: CVE-2022-2884: 184.7K (audience size) CVE-2022-2200: 157.7K CVE-2019-1… twitter.com/i/web/status/1…	2022-08-24 13:00:03
@ksg93rd	#exploit 1. CVE-2022-1802 + CVE-2022-1529 + CVE-2022-2200: Mozilla Firefox RCE + SBX full chain complete github.com/mistymntncop/C…	2022-08-25 09:33:07
@cyber_advising	CVE-2022-1802 + CVE-2022-1529 + CVE-2022-2200 Firefox 100.0.1 RCE Object prototype, they could set undesired attrib… twitter.com/i/web/status/1…	2022-08-29 12:20:47
@ipssignatures	The vuln CVE-2022-2200 has a tweet created 0 days ago and retweeted 25 times. twitter.com/cyber_advising… #pow1rtrtwwcve	2022-08-29 16:06:01
/r/k12cybersecurity	MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in Mozilla Products Could Allow for Arbitrary Code Execution - PATCH: NOW	2022-06-30 13:31:17