CVE-2019-9815high
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thread and any worker threads. *Note: users need to update to macOS 10.14.5 in order to take advantage of this change.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7.
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1546544
https://www.mozilla.org/security/advisories/mfsa2019-15/
https://www.mozilla.org/security/advisories/mfsa2019-14/
Details
Source: MITRE
Published: 2019-07-23
Updated: 2021-09-08
Type: CWE-203
Risk Information
CVSS v2
Base Score: 6.8
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Impact Score: 6.4
Exploitability Score: 8.6
Severity: MEDIUM
CVSS v3
Base Score: 8.1
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 2.2
Severity: HIGH
Vulnerable Software
Configuration 1
AND
OR
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
OR
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 125809 | openSUSE Security Update : MozillaFirefox (openSUSE-2019-1534) | Nessus | SuSE Local Security Checks | critical |
| 125702 | SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2019:1405-1) | Nessus | SuSE Local Security Checks | critical |
| 125672 | SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2019:1388-1) | Nessus | SuSE Local Security Checks | critical |
| 125669 | openSUSE Security Update : MozillaThunderbird (openSUSE-2019-1484) | Nessus | SuSE Local Security Checks | critical |
| 125363 | Mozilla Firefox ESR < 60.7 | Nessus | Windows | critical |
| 125362 | Mozilla Firefox ESR < 60.7 | Nessus | MacOS X Local Security Checks | critical |
| 125361 | Mozilla Firefox < 67.0 | Nessus | Windows | critical |
| 125360 | Mozilla Firefox < 67.0 | Nessus | MacOS X Local Security Checks | critical |
| 125359 | Mozilla Thunderbird < 60.7 | Nessus | Windows | critical |
| 125358 | Mozilla Thunderbird < 60.7 | Nessus | MacOS X Local Security Checks | critical |
| 125346 | FreeBSD : mozilla -- multiple vulnerabilities (44b6dfbf-4ef7-4d52-ad52-2b1b05d81272) | Nessus | FreeBSD Local Security Checks | critical |
| 700733 | Mozilla Firefox ESR < 60.7 Multiple Vulnerabilities | Nessus Network Monitor | Web Clients | high |
| 700727 | Mozilla Firefox < 67.0 Multiple Vulnerabilities | Nessus Network Monitor | Web Clients | high |
| 700742 | Mozilla Thunderbird < 60.7 Multiple Vulnerabilities | Nessus Network Monitor | SMTP Clients | high |