{"containers": {"cna": {"affected": [{"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "60.6", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "60.6", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "66", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A use-after-free vulnerability can occur when the SMIL animation controller incorrectly registers with the refresh driver twice when only a single registration is expected. When a registration is later freed with the removal of the animation controller element, the refresh driver incorrectly leaves a dangling pointer to the driver's observer array. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66."}], "problemTypes": [{"descriptions": [{"description": "Use-after-free with SMIL animation controller", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-05-13T09:06:06", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-07/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-08/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-11/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1531277"}, {"name": "RHSA-2019:0966", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:0966"}, {"name": "RHSA-2019:1144", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1144"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-9796", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Thunderbird", "version": {"version_data": [{"version_affected": "<", "version_value": "60.6"}]}}, {"product_name": "Firefox ESR", "version": {"version_data": [{"version_affected": "<", "version_value": "60.6"}]}}, {"product_name": "Firefox", "version": {"version_data": [{"version_affected": "<", "version_value": "66"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A use-after-free vulnerability can occur when the SMIL animation controller incorrectly registers with the refresh driver twice when only a single registration is expected. When a registration is later freed with the removal of the animation controller element, the refresh driver incorrectly leaves a dangling pointer to the driver's observer array. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Use-after-free with SMIL animation controller"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2019-07/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-07/"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2019-08/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-08/"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2019-11/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-11/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1531277", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1531277"}, {"name": "RHSA-2019:0966", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:0966"}, {"name": "RHSA-2019:1144", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1144"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:01:54.698Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-07/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-08/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-11/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1531277"}, {"name": "RHSA-2019:0966", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:0966"}, {"name": "RHSA-2019:1144", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1144"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-9796", "datePublished": "2019-04-26T16:13:22", "dateReserved": "2019-03-14T00:00:00", "dateUpdated": "2024-08-04T22:01:54.698Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "DF5B7642-9E9D-4578-9120-B95A6B198177", "versionEndExcluding": "66.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "0FA1560E-3400-488F-B34D-278BFD071E0B", "versionEndExcluding": "60.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "87CE431A-9E72-4288-ADA2-7A8E69A5AB6C", "versionEndExcluding": "60.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A use-after-free vulnerability can occur when the SMIL animation controller incorrectly registers with the refresh driver twice when only a single registration is expected. When a registration is later freed with the removal of the animation controller element, the refresh driver incorrectly leaves a dangling pointer to the driver's observer array. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66."}, {"lang": "es", "value": "Una vulnerabilidad de uso despu\u00e9s de liberaci\u00f3n de memoria puede darse cuando el controlador de animaci\u00f3n SMIL registra incorrectamente con el controlador de actualizaci\u00f3n dos veces cuando s\u00f3lo se espera un \u00fanico registro. Cuando se libera un registro con la eliminaci\u00f3n del elemento de controlador de animaci\u00f3n, el controlador de actualizaci\u00f3n deja incorrectamente un puntero pendiente en la matriz de observadores del controlador. Esta vulnerabilidad afecta a Thunderbird, versiones anteriores a 60.6, Firefox ESR, versiones anteriores a 60.6 y Firefox. versiones anteriores a 66."}], "id": "CVE-2019-9796", "lastModified": "2019-06-26T15:31:45.577", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-26T17:29:02.477", "references": [{"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:0966"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:1144"}, {"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1531277"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-07/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-08/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-11/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Nils as the original reporter.", "affected_release": [{"advisory": "RHSA-2019:0623", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "firefox-0:60.6.0-3.el6_10", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2019-03-20T00:00:00Z"}, {"advisory": "RHSA-2019:0680", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "thunderbird-0:60.6.1-1.el6_10", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2019-03-28T00:00:00Z"}, {"advisory": "RHSA-2019:0622", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "firefox-0:60.6.0-3.el7_6", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-03-20T00:00:00Z"}, {"advisory": "RHSA-2019:0681", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:60.6.1-1.el7_6", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-03-28T00:00:00Z"}, {"advisory": "RHSA-2019:0966", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:60.6.1-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-05-07T00:00:00Z"}, {"advisory": "RHSA-2019:1144", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:60.6.1-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-05-13T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Use-after-free with SMIL animation controller", "id": "1690681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1690681"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["A use-after-free vulnerability can occur when the SMIL animation controller incorrectly registers with the refresh driver twice when only a single registration is expected. When a registration is later freed with the removal of the animation controller element, the refresh driver incorrectly leaves a dangling pointer to the driver's observer array. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66."], "name": "CVE-2019-9796", "public_date": "2019-03-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-9796\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-9796\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9796"], "threat_severity": "Important"}