Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-9791 — Type Confusion in Mozilla Firefox

CWE-843 — Type Confusion CWE-20 — Improper Input Validation18 documents9 sources

Severity

9.8CRITICALNVD

EPSS

38.1%

top 2.78%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird +4 more

Timeline

PublishedApr 26

Latest updateMay 24

Description

The type inference system allows the compilation of functions that can cause type confusions between arbitrary objects when compiled through the IonMonkey just-in-time (JIT) compiler and when the constructor function is entered through on-stack replacement (OSR). This allows for possible arbitrary reading and writing of objects during an exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

▶CVEListV5mozilla/firefoxunspecified — 66

▶NVDmozilla/firefox< 60.6.0+1

▶CVEListV5mozilla/firefox_esrunspecified — 60.6

▶CVEListV5mozilla/thunderbirdunspecified — 60.6

▶NVDmozilla/thunderbird< 60.6.0

Also affects: Enterprise Linux 8.0, 8.1, 8.2, 8.4

🔴Vulnerability Details

GHSA

GHSA-9r58-49jg-hrq7: The type inference system allows the compilation of functions that can cause type confusions between arbitrary objects when compiled through the IonMo↗2022-05-24

▶

OSV

CVE-2019-9791: The type inference system allows the compilation of functions that can cause type confusions between arbitrary objects when compiled through the IonMo↗2019-04-26

▶

CVEList

CVE-2019-9791: The type inference system allows the compilation of functions that can cause type confusions between arbitrary objects when compiled through the IonMo↗2019-04-26

▶

OSV

firefox regressions↗2019-04-16

▶

OSV

thunderbird vulnerabilities↗2019-03-28

▶

💥Exploits & PoCs

Exploit-DB

Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR↗2019-03-26

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2019-03-28

▶

Ubuntu

Firefox vulnerabilities↗2019-03-25

▶

Ubuntu

Firefox vulnerabilities↗2019-03-21

▶

Red Hat

Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey↗2019-03-20

▶

Debian

CVE-2019-9791: firefox - The type inference system allows the compilation of functions that can cause typ...↗2019

▶

💬Community

Bugzilla

CVE-2019-9791 Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey↗2019-03-20

▶

Bugzilla

CVE-2017-9791 struts2: Possible RCE via a malicious field value passed in a raw message to the ActionMessage↗2017-07-10

▶