CVE-2019-17017

Current Description

Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.

Referenced by CVEs:CVE-2019-17107

Basic Data

PublishedJanuary 08, 2020
Last ModifiedJanuary 13, 2020
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-843
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score6.8
SeverityMEDIUM
Exploitability Score8.6
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationMozillaFirefox Esr********68.4
    2.3ApplicationMozillaFirefox********72.0
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSCanonicalUbuntu Linux19.10*******
    2.3OSCanonicalUbuntu Linux19.04*******
    2.3OSCanonicalUbuntu Linux18.04***lts***
    2.3OSCanonicalUbuntu Linux16.04***lts***
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSDebianDebian Linux10.0*******
    2.3OSDebianDebian Linux9.0*******
    2.3OSDebianDebian Linux8.0*******
  • OR - Configuration 4
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSRedhatEnterprise Linux Server Aus7.7*******
    2.3OSRedhatEnterprise Linux Server7.0*******
    2.3OSRedhatEnterprise Linux Server6.0*******
    2.3OSRedhatEnterprise Linux Desktop7.0*******
    2.3OSRedhatEnterprise Linux Desktop6.0*******
    2.3OSRedhatEnterprise Linux Server Tus7.7*******
    2.3OSRedhatEnterprise Linux Workstation6.0*******
    2.3OSRedhatEnterprise Linux Workstation7.0*******

Vulnerable Software List

VendorProductVersions
Debian Debian Linux 10.0, 8.0, 9.0
Mozilla Firefox *
Mozilla Firefox Esr *
Canonical Ubuntu Linux 16.04, 18.04, 19.04, 19.10
Redhat Enterprise Linux Desktop 6.0, 7.0
Redhat Enterprise Linux Server Tus 7.7
Redhat Enterprise Linux Server 6.0, 7.0
Redhat Enterprise Linux Workstation 6.0, 7.0
Redhat Enterprise Linux Server Aus 7.7

References

NameSourceURLTags
20200112 [slackware-security] mozilla-thunderbird (SSA:2020-010-01)BUGTRAQhttps://seclists.org/bugtraq/2020/Jan/18Vendor Advisory Vendor Advisory Third Party Advisory Third Party Advisory Third Party Advisory Mailing List Mailing List Permissions Required Third Party Advisory Third Party Advisory
20200109 [SECURITY] [DSA 4600-1] firefox-esr security updateBUGTRAQhttps://seclists.org/bugtraq/2020/Jan/12Third Party Advisory Third Party Advisory
[debian-lts-announce] 20200109 [SECURITY] [DLA 2061-1] firefox-esr security updateMLISThttps://lists.debian.org/debian-lts-announce/2020/01/msg00005.html
RHSA-2020:0086REDHAThttps://access.redhat.com/errata/RHSA-2020:0086
https://bugzilla.mozilla.org/show_bug.cgi?id=1603055MISChttps://bugzilla.mozilla.org/show_bug.cgi?id=1603055
RHSA-2020:0085REDHAThttps://access.redhat.com/errata/RHSA-2020:0085
http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.htmlMISChttp://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html
USN-4234-1UBUNTUhttps://usn.ubuntu.com/4234-1/
DSA-4600DEBIANhttps://www.debian.org/security/2020/dsa-4600
https://www.mozilla.org/security/advisories/mfsa2020-01/CONFIRMhttps://www.mozilla.org/security/advisories/mfsa2020-01/
https://www.mozilla.org/security/advisories/mfsa2020-02/CONFIRMhttps://www.mozilla.org/security/advisories/mfsa2020-02/