{
  "threat_severity" : "Moderate",
  "public_date" : "2019-10-22T00:00:00Z",
  "bugzilla" : {
    "description" : "Mozilla: Unintended access to a privileged JSONView object",
    "id" : "1764442",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1764442"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-749",
  "details" : [ "By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.", "A vulnerability was found in Mozilla Firefox and Thunderbird. Privileged JSONView objects that have been cloned into content can be accessed using a form with a data URI. This flaw bypasses existing defense-in-depth mechanisms and can be exploited over the network." ],
  "acknowledgement" : "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Cody Crews as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2019-10-31T00:00:00Z",
    "advisory" : "RHSA-2019:3281",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "firefox-0:68.2.0-4.el6_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2019-11-06T00:00:00Z",
    "advisory" : "RHSA-2019:3756",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "thunderbird-0:68.2.0-2.el6_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2019-10-24T00:00:00Z",
    "advisory" : "RHSA-2019:3193",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "firefox-0:68.2.0-1.el7_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2019-10-29T00:00:00Z",
    "advisory" : "RHSA-2019:3210",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "thunderbird-0:68.2.0-1.el7_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2019-10-24T00:00:00Z",
    "advisory" : "RHSA-2019:3196",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "firefox-0:68.2.0-2.el8_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2019-10-29T00:00:00Z",
    "advisory" : "RHSA-2019:3237",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "thunderbird-0:68.2.0-1.el8_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Out of support scope",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Out of support scope",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-11761\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-11761\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019-11761" ],
  "name" : "CVE-2019-11761",
  "csaw" : false
}