CVE-2019-11707
thunderbird - security update
8.8
HIGH
CVSS 3.1
⚠ KEVEPSS 84.3%
Description
A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.
How to fix CVE-2019-11707
To remediate CVE-2019-11707, upgrade the affected package to a fixed version below.
- —upgrade to 60.7.2-r0 or later
- —upgrade to 60.7.1esr-1 or later
- —upgrade to 60.7.1esr-1~deb8u1 or later
- —upgrade to 60.7.1esr-1~deb9u1 or later
- —upgrade to 1:60.7.2-1~deb8u1 or later
- —upgrade to 1:60.7.2-1~deb9u1 or later
- —upgrade to 1:60.7.2-1 or later
Is CVE-2019-11707 being exploited?
Yes — CVE-2019-11707 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.
Affected packages (7)
- from 0, < 60.7.2-r0
- from 0, < 60.7.1esr-1
- from 0, < 60.7.1esr-1~deb8u1
- from 0, < 60.7.1esr-1~deb9u1
- from 0, < 1:60.7.2-1~deb8u1
- from 0, < 1:60.7.2-1~deb9u1
- from 0, < 1:60.7.2-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |