⚠ Actively exploited

Added to CISA KEV on 2022-05-23. Federal agencies required to patch by 2022-06-13. Required action: Apply updates per vendor instructions..

CVE-2019-11707 — Type Confusion in Mozilla Firefox

CWE-843 — Type Confusion24 documents14 sources

Severity

8.8HIGHNVD

EPSS

84.4%

top 0.67%

CISA KEV

KEV

Added 2022-05-23

Due 2022-06-13

Exploit

Exploited in wild

Active exploitation observed

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird +3 more

Timeline

PublishedJul 23

KEV addedMay 23

KEV dueJun 13

Latest updateJan 9

CISA Required Action: Apply updates per vendor instructions.

Description

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages10 packages

▶debiandebian/firefox< firefox 67.0.3-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 67.0.3

▶NVDmozilla/firefox< 60.7.1+1

▶debiandebian/firefox-esr< firefox 67.0.3-1 (sid)

▶CVEListV5mozilla/firefox_esrunspecified — 60.7.1

🔴Vulnerability Details

GHSA

GHSA-8ffr-q7j8-h445: A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array↗2022-05-24

▶

OSV

CVE-2019-11707: A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array↗2019-07-23

▶

OSV

thunderbird vulnerabilities↗2019-07-01

▶

VulnCheck

Mozilla Firefox and Thunderbird Type Confusion Vulnerability↗2019

▶

Project0

Project Zero RCA: CVE-2019-11707: IonMonkey Type Confusion in Array.Pop↗

▶

💥Exploits & PoCs

Exploit-DB

Mozilla Firefox 67 - Array.pop JIT Type Confusion↗2022-02-02

▶

Exploit-DB

Mozilla Spidermonkey - IonMonkey 'Array.prototype.pop' Type Confusion↗2019-06-26

▶

📋Vendor Advisories

CISA

Mozilla Firefox and Thunderbird Type Confusion Vulnerability↗2022-05-23

▶

Ubuntu

Thunderbird vulnerabilities↗2019-07-01

▶

Red Hat

Mozilla: Type confusion in Array.pop↗2019-06-19

▶

Ubuntu

Firefox vulnerability↗2019-06-19

▶

Debian

CVE-2019-11707: firefox - A type confusion vulnerability can occur when manipulating JavaScript objects du...↗2019

▶

🕵️Threat Intelligence

Sentinelone

7 Ways Threat Actors Deliver macOS Malware in the Enterprise↗2023-01-09

▶

Sentinelone

7 Ways Threat Actors Deliver macOS Malware in the Enterprise↗2023-01-09

▶

Tenable

CVE-2019-17026: Zero-Day Vulnerability in Mozilla Firefox Exploited in Targeted Attacks↗2020-01-08

▶

Securelist

IT threat evolution Q2 2019. Statistics↗2019-08-19

▶

Sentinelone

How Two Firefox Zero Days Led to Two macOS Backdoors↗2019-06-26

▶

💬Community

Bugzilla

CVE-2019-11707 thunderbird: Mozilla: Type confusion in Array.pop [fedora-all]↗2019-06-21

▶

Bugzilla

CVE-2019-11707 Mozilla: Type confusion in Array.pop↗2019-06-19

▶

Bugzilla

CVE-2019-11707 CVE-2019-11708 firefox: various flaws [fedora-all]↗2019-06-19

▶