8.8

CVE-2019-17026

Warnung
Exploit
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and Firefox < 72.0.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MozillaFirefox SwEditionesr Version < 68.4.1
MozillaFirefox SwEdition- Version < 72.0.1
MozillaThunderbird Version < 68.4.1
CanonicalUbuntu Linux Version16.04 SwEditionesm

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Mozilla Firefox And Thunderbird Type Confusion Vulnerability

Schwachstelle

Mozilla Firefox and Thunderbird contain a type confusion vulnerability due to incorrect alias information in the IonMonkey JIT compiler when setting array elements.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 46.59% 0.987
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

https://usn.ubuntu.com/4335-1/
Third Party Advisory
https://security.gentoo.org/glsa/202003-02
Third Party Advisory
http://packetstormsecurity.com/files/162568/Firefox-72-IonMonkey-JIT-Type-Confusion.html
Third Party Advisory
Exploit
VDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1607443
Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2020-03/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-04/
Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-17026
US Government Resource