CVE-2019-11707
Published: 19 June 2019
A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.
Notes
Author | Note |
---|---|
tyhicks | mozjs contains a copy of the SpiderMonkey JavaScript engine |
msalvatore | PoC does not cause a crash in mozjs38. The code has also significantly diverged. |
Priority
Status
Package | Release | Status |
---|---|---|
firefox Launchpad, Ubuntu, Debian |
bionic |
Released
(67.0.3+build1-0ubuntu0.18.04.1)
|
cosmic |
Released
(67.0.3+build1-0ubuntu0.18.10.1)
|
|
disco |
Released
(67.0.3+build1-0ubuntu0.19.04.1)
|
|
eoan |
Released
(67.0.3+build1-0ubuntu1)
|
|
focal |
Released
(67.0.3+build1-0ubuntu1)
|
|
groovy |
Released
(67.0.3+build1-0ubuntu1)
|
|
hirsute |
Released
(67.0.3+build1-0ubuntu1)
|
|
impish |
Released
(67.0.3+build1-0ubuntu1)
|
|
jammy |
Released
(67.0.3+build1-0ubuntu1)
|
|
kinetic |
Released
(67.0.3+build1-0ubuntu1)
|
|
lunar |
Released
(67.0.3+build1-0ubuntu1)
|
|
mantic |
Released
(67.0.3+build1-0ubuntu1)
|
|
noble |
Released
(67.0.3+build1-0ubuntu1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(67.0.3)
|
|
xenial |
Released
(67.0.3+build1-0ubuntu0.16.04.1)
|
|
mozjs38 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(PoC does not cause crash)
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
|
|
xenial |
Does not exist
|
|
mozjs52 Launchpad, Ubuntu, Debian |
bionic |
Needed
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needed
|
|
xenial |
Does not exist
|
|
mozjs60 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needed
|
|
xenial |
Does not exist
|
|
thunderbird Launchpad, Ubuntu, Debian |
bionic |
Released
(1:60.7.2+build1-0ubuntu0.18.04.1)
|
cosmic |
Released
(1:60.7.2+build1-0ubuntu0.18.10.1)
|
|
disco |
Released
(1:60.7.2+build1-0ubuntu0.19.04.1)
|
|
eoan |
Released
(1:60.7.2+build1-0ubuntu1)
|
|
focal |
Released
(1:60.7.2+build1-0ubuntu1)
|
|
groovy |
Released
(1:60.7.2+build1-0ubuntu1)
|
|
hirsute |
Released
(1:60.7.2+build1-0ubuntu1)
|
|
impish |
Released
(1:60.7.2+build1-0ubuntu1)
|
|
jammy |
Released
(1:60.7.2+build1-0ubuntu1)
|
|
kinetic |
Released
(1:60.7.2+build1-0ubuntu1)
|
|
lunar |
Released
(1:60.7.2+build1-0ubuntu1)
|
|
mantic |
Released
(1:60.7.2+build1-0ubuntu1)
|
|
noble |
Released
(1:60.7.2+build1-0ubuntu1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(60.7.2)
|
|
xenial |
Released
(1:60.7.2+build1-0ubuntu0.16.04.1)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |