{"containers": {"cna": {"affected": [{"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "affected", "version": "before 68.3"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"status": "affected", "version": "before 68.3"}]}, {"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "affected", "version": "before 71"}]}], "descriptions": [{"lang": "en", "value": "Under certain conditions, when checking the Resist Fingerprinting preference during device orientation checks, a race condition could have caused a use-after-free and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71."}], "problemTypes": [{"descriptions": [{"description": "Use-after-free when performing device orientation checks", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-29T02:06:51", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1581084"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-36/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-38/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-37/"}, {"name": "openSUSE-SU-2020:0003", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html"}, {"name": "openSUSE-SU-2020:0002", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html"}, {"name": "USN-4241-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4241-1/"}, {"name": "RHSA-2020:0292", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0292"}, {"name": "RHSA-2020:0295", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0295"}, {"name": "GLSA-202003-02", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-02"}, {"name": "GLSA-202003-10", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-10"}, {"name": "USN-4335-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4335-1/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-17010", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Thunderbird", "version": {"version_data": [{"version_value": "before 68.3"}]}}, {"product_name": "Firefox ESR", "version": {"version_data": [{"version_value": "before 68.3"}]}}, {"product_name": "Firefox", "version": {"version_data": [{"version_value": "before 71"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Under certain conditions, when checking the Resist Fingerprinting preference during device orientation checks, a race condition could have caused a use-after-free and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Use-after-free when performing device orientation checks"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1581084", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1581084"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2019-36/", "refsource": "CONFIRM", "url": "https://www.mozilla.org/security/advisories/mfsa2019-36/"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2019-38/", "refsource": "CONFIRM", "url": "https://www.mozilla.org/security/advisories/mfsa2019-38/"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2019-37/", "refsource": "CONFIRM", "url": "https://www.mozilla.org/security/advisories/mfsa2019-37/"}, {"name": "openSUSE-SU-2020:0003", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html"}, {"name": "openSUSE-SU-2020:0002", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html"}, {"name": "USN-4241-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4241-1/"}, {"name": "RHSA-2020:0292", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0292"}, {"name": "RHSA-2020:0295", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0295"}, {"name": "GLSA-202003-02", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-02"}, {"name": "GLSA-202003-10", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-10"}, {"name": "USN-4335-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4335-1/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:24:48.864Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1581084"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-36/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-38/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-37/"}, {"name": "openSUSE-SU-2020:0003", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html"}, {"name": "openSUSE-SU-2020:0002", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html"}, {"name": "USN-4241-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4241-1/"}, {"name": "RHSA-2020:0292", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0292"}, {"name": "RHSA-2020:0295", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0295"}, {"name": "GLSA-202003-02", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-02"}, {"name": "GLSA-202003-10", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-10"}, {"name": "USN-4335-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4335-1/"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-17010", "datePublished": "2020-01-08T21:23:23", "dateReserved": "2019-09-30T00:00:00", "dateUpdated": "2024-08-05T01:24:48.864Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "13CA3D58-3E63-46A9-9E84-0EE98E85FCCD", "versionEndExcluding": "71.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E44031F-A65C-47ED-BE96-D95E9C013208", "versionEndExcluding": "68.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "5720A580-B6C6-491B-9B75-619B39B6DFDD", "versionEndExcluding": "68.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Under certain conditions, when checking the Resist Fingerprinting preference during device orientation checks, a race condition could have caused a use-after-free and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71."}, {"lang": "es", "value": "Bajo determinadas condiciones, cuando se comprueba la preferencia Resist Fingerprinting durante las verificaciones de orientaci\u00f3n del dispositivo, una condici\u00f3n de carrera podr\u00eda haber causado un uso de la memoria previamente liberada y un bloqueo explotable potencialmente. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a la versi\u00f3n 68.3, Firefox ESR versiones anteriores a la versi\u00f3n 68.3 y Firefox versiones anteriores a la versi\u00f3n 71."}], "id": "CVE-2019-17010", "lastModified": "2022-04-08T14:32:06.070", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-08T22:15:11.857", "references": [{"source": "security@mozilla.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html"}, {"source": "security@mozilla.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0292"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0295"}, {"source": "security@mozilla.org", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1581084"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-02"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-10"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4241-1/"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4335-1/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-36/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-37/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-38/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Nils as the original reporter.", "affected_release": [{"advisory": "RHSA-2019:4108", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "firefox-0:68.3.0-1.el6_10", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2019-12-05T00:00:00Z"}, {"advisory": "RHSA-2019:4205", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "thunderbird-0:68.3.0-3.el6_10", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2019-12-11T00:00:00Z"}, {"advisory": "RHSA-2019:4107", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "firefox-0:68.3.0-1.el7_7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-12-05T00:00:00Z"}, {"advisory": "RHSA-2019:4148", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:68.3.0-1.el7_7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-12-10T00:00:00Z"}, {"advisory": "RHSA-2019:4111", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:68.3.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-12-05T00:00:00Z"}, {"advisory": "RHSA-2019:4195", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:68.3.0-2.el8_1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-12-10T00:00:00Z"}, {"advisory": "RHSA-2020:0292", "cpe": "cpe:/a:redhat:rhel_e4s:8.0", "package": "thunderbird-0:68.4.1-2.el8_0", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-01-30T00:00:00Z"}, {"advisory": "RHSA-2020:0295", "cpe": "cpe:/a:redhat:rhel_e4s:8.0", "package": "firefox-0:68.4.1-1.el8_0", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-01-30T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Use-after-free when performing device orientation checks", "id": "1779434", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1779434"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["Under certain conditions, when checking the Resist Fingerprinting preference during device orientation checks, a race condition could have caused a use-after-free and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71."], "name": "CVE-2019-17010", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 5"}], "public_date": "2019-12-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-17010\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-17010\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2019-37/#CVE-2019-17010"], "threat_severity": "Moderate", "upstream_fix": "thunderbird 68.3, firefox 68.3"}