CVE-2019-17021

Published: Jan 8, 2020Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 1.6 / Impact: 3.6

Source: NVD

Description

During the initialization of a new content process, a race condition occurs that can allow a content process to disclose heap addresses from the parent process. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.

Affected (3)

Products: Mozilla: Firefox, Firefox Esr · Opensuse: Leap

2 products

1 product

Configuration A

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 72.0
Mozilla Firefox Esr	Before 68.4

Running on/with	Platform Versions
Microsoft Windows	All versions

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Opensuse Leap	Version 15.1

Related CWEs

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (14)

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html

Source: security@mozilla.org

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html

Source: security@mozilla.org

Mailing ListThird Party Advisory

http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html

Source: security@mozilla.org

ExploitThird Party AdvisoryVDB Entry

https://bugzilla.mozilla.org/show_bug.cgi?id=1599008

Source: security@mozilla.org

ExploitIssue TrackingPermissions Required

https://seclists.org/bugtraq/2020/Jan/18

Source: security@mozilla.org

Mailing ListThird Party Advisory

https://www.mozilla.org/security/advisories/mfsa2020-01/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2020-02/

Source: security@mozilla.org

Vendor Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://bugzilla.mozilla.org/show_bug.cgi?id=1599008

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingPermissions Required

https://seclists.org/bugtraq/2020/Jan/18

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://www.mozilla.org/security/advisories/mfsa2020-01/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2020-02/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.