Alpine: mozjs60: security update to 60.7.0-r0 (deprecated)

critical Tenable Self-Hosted Container Security Plugin ID 400550

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop.
This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.
This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.
(CVE-2019-11707)

- Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent
processes can result in the non-sandboxed parent process opening web content chosen by a compromised child
process. When combined with additional vulnerabilities this could result in executing arbitrary code on
the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird <
60.7.2. (CVE-2019-11708)

See Also

https://git.alpinelinux.org/aports/commit/?id=4e93186e9fcf4cd2d33d43cd87fe97644174e4be

https://git.alpinelinux.org/aports/commit/?id=ed5e768abd1db57117bb63de5dcff4da11d0576e

Plugin Details

Severity: Critical

ID: 400550

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/3/2024

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.7

Percentile: 99.11

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-11708

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/27/2019

Vulnerability Publication Date: 6/18/2019

CISA Known Exploited Vulnerability Due Dates: 6/13/2022

Reference Information

CVE: CVE-2019-11707, CVE-2019-11708

BID: 108810, 108835