6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.014 Low
EPSS
Percentile
86.4%
Severity: Critical
Date : 2019-12-06
CVE-ID : CVE-2019-11745 CVE-2019-17005 CVE-2019-17008 CVE-2019-17010
CVE-2019-17011 CVE-2019-17012
Package : thunderbird
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1072
The package thunderbird before version 68.3.0-1 is vulnerable to
arbitrary code execution.
Upgrade to 68.3.0-1.
The problems have been fixed upstream in version 68.3.0.
None.
An out-of-bounds write vulnerability has been found in the NSS
component of Firefox before 71.0 and Thunderbird before 68.3. When
encrypting with a block cipher, if a call to NSC_EncryptUpdate was made
with data smaller than the block size, a small out of bounds write
could occur. This could have caused heap corruption and a potentially
exploitable crash.
An out-of-bounds write vulnerability has been found in Firefox before
71.0 and Thunderbird before 68.3 where the plain text serializer used a
fixed-size array for the number of elements it could process; however
it was possible to overflow the static-sized array leading to memory
corruption and a potentially exploitable crash.
A use-after-free vulnerability has been found in Firefox before 71.0
and Thunderbird before 68.3. When using nested workers, a use-after-
free could occur during worker destruction. This resulted in a
potentially exploitable crash.
A use-after-free vulnerability has been found in Firefox before 71.0
and Thunderbird before 68.3. Under certain conditions, when checking
the Resist Fingerprinting preference during device orientation checks,
a race condition could have caused a use-after-free and a potentially
exploitable crash.
A use-after-free vulnerability has been found in Firefox before 71.0
and Thunderbird before 68.3. Under certain conditions, when retrieving
a document from a DocShell in the antitracking code, a race condition
could cause a use-after-free condition and a potentially exploitable
crash.
Several memory safety bugs have been found in Firefox before 71.0 and
Thunderbird before 68.3. Some of these bugs showed evidence of memory
corruption and Mozilla presumes that with enough effort some of these
could have been exploited to run arbitrary code.
A remote attacker can execute arbitrary code on the affected host.
https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-11745
https://bugzilla.mozilla.org/show_bug.cgi?id=1586176
https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17005
https://bugzilla.mozilla.org/show_bug.cgi?id=1584170
https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17008
https://bugzilla.mozilla.org/show_bug.cgi?id=1546331
https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17010
https://bugzilla.mozilla.org/show_bug.cgi?id=1581084
https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17011
https://bugzilla.mozilla.org/show_bug.cgi?id=1591334
https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17012
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1449736%2C1533957%2C1560667%2C1567209%2C1580288%2C1585760%2C1592502
https://security.archlinux.org/CVE-2019-11745
https://security.archlinux.org/CVE-2019-17005
https://security.archlinux.org/CVE-2019-17008
https://security.archlinux.org/CVE-2019-17010
https://security.archlinux.org/CVE-2019-17011
https://security.archlinux.org/CVE-2019-17012
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | thunderbird | < 68.3.0-1 | UNKNOWN |
bugzilla.mozilla.org/buglist.cgi?bug_id=1449736%2C1533957%2C1560667%2C1567209%2C1580288%2C1585760%2C1592502
bugzilla.mozilla.org/show_bug.cgi?id=1546331
bugzilla.mozilla.org/show_bug.cgi?id=1581084
bugzilla.mozilla.org/show_bug.cgi?id=1584170
bugzilla.mozilla.org/show_bug.cgi?id=1586176
bugzilla.mozilla.org/show_bug.cgi?id=1591334
security.archlinux.org/AVG-1072
security.archlinux.org/CVE-2019-11745
security.archlinux.org/CVE-2019-17005
security.archlinux.org/CVE-2019-17008
security.archlinux.org/CVE-2019-17010
security.archlinux.org/CVE-2019-17011
security.archlinux.org/CVE-2019-17012
www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-11745
www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17005
www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17008
www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17010
www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17011
www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17012
www.mozilla.org/en-US/security/advisories/mfsa2019-38/
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.014 Low
EPSS
Percentile
86.4%