Lucene search

K
archlinuxArchLinuxASA-202001-3
HistoryJan 10, 2020 - 12:00 a.m.

[ASA-202001-3] firefox: arbitrary code execution

2020-01-1000:00:00
security.archlinux.org
17

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.526

Percentile

97.6%

Arch Linux Security Advisory ASA-202001-3

Severity: Critical
Date : 2020-01-10
CVE-ID : CVE-2019-17026
Package : firefox
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1085

Summary

The package firefox before version 72.0.1-1 is vulnerable to arbitrary
code execution.

Resolution

Upgrade to 72.0.1-1.

pacman -Syu “firefox>=72.0.1-1”

The problem has been fixed upstream in version 72.0.1.

Workaround

None.

Description

A type confusion vulnerability has been found in Firefox before 72.0.1.
Incorrect alias information in IonMonkey JIT compiler for setting array
elements could lead to a type confusion with StoreElementHole and
FallibleStoreElement. Mozilla is aware of targeted attacks in the wild
abusing this flaw.

Impact

A remote attacker can execute arbitrary code on the affected host.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/
https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/#CVE-2019-17026
https://bugzilla.mozilla.org/show_bug.cgi?id=1607443
https://security.archlinux.org/CVE-2019-17026

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyfirefox< 72.0.1-1UNKNOWN

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.526

Percentile

97.6%