Alpine: mozjs60: security update to 60.7.2-r0

critical Tenable Cloud Security Plugin ID 405614

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop.
This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.
This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.
(CVE-2019-11707)

- Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent
processes can result in the non-sandboxed parent process opening web content chosen by a compromised child
process. When combined with additional vulnerabilities this could result in executing arbitrary code on
the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird <
60.7.2. (CVE-2019-11708)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-11707

https://security.alpinelinux.org/vuln/CVE-2019-11708

Plugin Details

Severity: Critical

ID: 405614

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 3/13/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.7

Percentile: 99.11

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-11708

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 6/18/2019

CISA Known Exploited Vulnerability Due Dates: 6/13/2022

Reference Information

CVE: CVE-2019-11707, CVE-2019-11708

BID: 108810, 108835