CVE-2019-9813
published 2019-04-26CVE-2019-9813: Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write. This…
PriorityP357high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
7.39%
93.7th percentile
Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 66.0.1-1 (sid) | firefox 66.0.1-1 (sid) |
| debian | firefox-esr | < firefox 66.0.1-1 (sid) | firefox 66.0.1-1 (sid) |
| mozilla | firefox | < 60.6.1 | 60.6.1 |
| mozilla | firefox | < 66.0.1 | 66.0.1 |
| mozilla | firefox | >= unspecified < 66.0.1 | 66.0.1 |
| mozilla | firefox_esr | >= unspecified < 60.6.1 | 60.6.1 |
| mozilla | thunderbird | < 60.6.1 | 60.6.1 |
| mozilla | thunderbird | >= 0 < 1:60.6.1+build2-0ubuntu0.14.04.1 | 1:60.6.1+build2-0ubuntu0.14.04.1 |
| mozilla | thunderbird | >= 0 < 1:60.6.1+build2-0ubuntu0.16.04.1 | 1:60.6.1+build2-0ubuntu0.16.04.1 |
| mozilla | thunderbird | >= 0 < 1:60.6.1+build2-0ubuntu0.18.04.1 | 1:60.6.1+build2-0ubuntu0.18.04.1 |
| mozilla | thunderbird | >= unspecified < 60.6.1 | 60.6.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandfunction hax(o, changeProto) {
if (changeProto) {
o.p = 42;
o.__proto__ = {};
}
o.p = 13.37;
return o;
}↗
commandlet y = {slots: 13.37, elements: 13.38, buffer: ab, length: 13.39, byteOffset: 13.40, data: 3.54484805889626e-310};↗
- →Look for JavaScript triggering __proto__ reassignment inside a JIT-compiled function that also performs repeated property writes to the same property (e.g. `o.p = <int>; o.__proto__ = {}; o.p = <float>;`). This pattern is the core trigger for the IonMonkey type confusion. ↗
- →Detect exploit attempts that construct a fake Uint8Array-shaped plain object with controlled float slot values (e.g. slots: 13.37, elements: 13.38, data: 3.54484805889626e-310) to overlap internal Uint8Array fields for arbitrary memory read/write. ↗
- →The vulnerability is exploitable in browser and browser-like contexts via a specially crafted website. Monitor for Firefox/Thunderbird versions below the fixed thresholds: Firefox < 66.0.1, Firefox ESR < 60.6.1, Thunderbird < 60.6.1. ↗
- →In debug SpiderMonkey builds, the exploit triggers a crash with assertion: 'Missing type in object ... p: float' at js/src/vm/TypeInference.cpp:265. This assertion message can be used as a signature in crash telemetry or fuzzing harnesses. ↗
- ·Thunderbird is generally not exploitable via email because scripting is disabled when reading mail; exploitation risk is limited to browser or browser-like contexts. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qxrm-24v6-5c8c: Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write
ghsa_unreviewed·2022-05-24
CVE-2019-9813 [HIGH] CWE-843 GHSA-qxrm-24v6-5c8c: Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write
Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.
OSV
CVE-2019-9813: Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write
osv·2019-04-26·CVSS 8.8
CVE-2019-9813 [HIGH] CVE-2019-9813: Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write
Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.
OSV
thunderbird vulnerabilities
osv·2019-03-28·CVSS 5.9
CVE-2018-18506 [MEDIUM] thunderbird vulnerabilities
thunderbird vulnerabilities
It was discovered that Thunderbird allowed PAC files to specify that
requests to localhost are sent through the proxy to another server. If
proxy auto-detection is enabled, an attacker could potentially exploit
this to conduct attacks on local services and tools. (CVE-2018-18506)
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
or execute arbitrary code. (CVE-2019-9788, CVE-2019-9790, CVE-2019-9791,
CVE-2019-9792, CVE-2019-9795, CVE-2019-9796, CVE-2019-9810, CVE-2019-9813)
A mechanism was discovered that removes some bounds checking for string,
array, or typed array accesses if Spectre mitiga
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2019-03-28·CVSS 5.9
CVE-2018-18506 [MEDIUM] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
It was discovered that Thunderbird allowed PAC files to specify that
requests to localhost are sent through the proxy to another server. If
proxy auto-detection is enabled, an attacker could potentially exploit
this to conduct attacks on local services and tools. (CVE-2018-18506)
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
or execute arbitrary code. (CVE-2019-9788, CVE-2019-9790, CVE-2019-9791,
CVE-2019-9792, CVE-2019-9795, CVE-2019-9796, CVE-2019-9810, CVE-2019-9813)
A mechanism was discovered that removes some bounds c
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2019-03-25
CVE-2019-9810 Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Two security issues were discovered in the JavaScript engine in Firefox.
If a user were tricked in to opening a specially crafted website, an
attacker could exploit this by causing a denial of service, or executing
arbitrary code.
Instructions: After a standard system update you need to restart Firefox to make
all the necessary changes.
Red Hat
Mozilla: Ionmonkey type confusion with __proto__ mutations
vendor_redhat·2019-03-22·CVSS 8.8
CVE-2019-9813 [HIGH] CWE-843 Mozilla: Ionmonkey type confusion with __proto__ mutations
Mozilla: Ionmonkey type confusion with __proto__ mutations
Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.
Statement: In general, this flaw can be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
Debian
CVE-2019-9813: firefox - Incorrect handling of __proto__ mutations may lead to type confusion in IonMonke...
vendor_debian·2019·CVSS 8.8
CVE-2019-9813 [HIGH] CVE-2019-9813: firefox - Incorrect handling of __proto__ mutations may lead to type confusion in IonMonke...
Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.
Scope: local
sid: resolved (fixed in 66.0.1-1)
No detection rules found.
https://access.redhat.com/errata/RHSA-2019:0966https://access.redhat.com/errata/RHSA-2019:1144https://bugzilla.mozilla.org/show_bug.cgi?id=1538006https://www.mozilla.org/security/advisories/mfsa2019-09/https://www.mozilla.org/security/advisories/mfsa2019-10/https://www.mozilla.org/security/advisories/mfsa2019-12/https://access.redhat.com/errata/RHSA-2019:0966https://access.redhat.com/errata/RHSA-2019:1144https://bugzilla.mozilla.org/show_bug.cgi?id=1538006https://www.mozilla.org/security/advisories/mfsa2019-09/https://www.mozilla.org/security/advisories/mfsa2019-10/https://www.mozilla.org/security/advisories/mfsa2019-12/
2019-04-26
Published