CVE-2022-2200
Published: 22 December 2022
Summary
CVE-2022-2200 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-2200 is a prototype-pollution issue in the JavaScript engine that allows an attacker who can corrupt an object prototype to set arbitrary attributes on JavaScript objects, ultimately resulting in privileged code execution. The flaw affects Firefox before version 102, Firefox ESR before 91.11, Thunderbird before 102, and Thunderbird before 91.11.
An unauthenticated remote attacker can trigger the vulnerability by causing a victim to visit a malicious web page or open a specially crafted message; successful exploitation yields high-impact effects on confidentiality, integrity, and availability without requiring prior privileges on the target system.
Mozilla security advisories MFSA2022-24, MFSA2022-25, and MFSA2022-26 recommend immediate upgrade to the fixed releases. The associated EPSS score has remained flat at 0.0620 since disclosure, indicating no material increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-34483
Vulnerability details
If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102,…
more
and Thunderbird < 91.11.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.