Search for vulnerabilities
Vulnerability details: VCID-9tn8-jf3p-aaam
Vulnerability ID VCID-9tn8-jf3p-aaam
Aliases CVE-2019-9816
Summary A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supported releases.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7.
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')
System Score Found at
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9816.html
cvssv3 5.9 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9816.json
epss 0.28765 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.38245 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.53590 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.53590 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.53590 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.53590 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.53590 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.53590 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.53590 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.53590 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.53590 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.53590 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.53590 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.53590 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.55638 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.55638 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
epss 0.55638 https://api.first.org/data/v1/epss?cve=CVE-2019-9816
rhbs high https://bugzilla.redhat.com/show_bug.cgi?id=1712625
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18511
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11691
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11692
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11693
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11698
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5798
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9797
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9800
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9816
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9817
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9819
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9820
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 4.3 https://nvd.nist.gov/vuln/detail/CVE-2019-9816
cvssv3 5.9 https://nvd.nist.gov/vuln/detail/CVE-2019-9816
archlinux Critical https://security.archlinux.org/AVG-965
archlinux Critical https://security.archlinux.org/AVG-966
generic_textual Medium https://ubuntu.com/security/notices/USN-3991-1
generic_textual Medium https://ubuntu.com/security/notices/USN-3997-1
generic_textual Medium https://usn.ubuntu.com/usn/usn-3991-1
generic_textual Medium https://usn.ubuntu.com/usn/usn-3997-1
generic_textual critical https://www.mozilla.org/en-US/security/advisories/mfsa2019-13
generic_textual Medium https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9816
generic_textual critical https://www.mozilla.org/en-US/security/advisories/mfsa2019-14
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2019-15
generic_textual Medium https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9816
Reference id Reference type URL
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9816.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9816.json
https://api.first.org/data/v1/epss?cve=CVE-2019-9816
https://bugzilla.mozilla.org/show_bug.cgi?id=1536768
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11691
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11692
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11693
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11698
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5798
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9797
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9800
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9817
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9819
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9820
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://ubuntu.com/security/notices/USN-3991-1
https://ubuntu.com/security/notices/USN-3997-1
https://usn.ubuntu.com/usn/usn-3991-1
https://usn.ubuntu.com/usn/usn-3997-1
https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9816
https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9816
https://www.mozilla.org/security/advisories/mfsa2019-13/
https://www.mozilla.org/security/advisories/mfsa2019-14/
https://www.mozilla.org/security/advisories/mfsa2019-15/
1712625 https://bugzilla.redhat.com/show_bug.cgi?id=1712625
ASA-201905-8 https://security.archlinux.org/ASA-201905-8
ASA-201905-9 https://security.archlinux.org/ASA-201905-9
AVG-965 https://security.archlinux.org/AVG-965
AVG-966 https://security.archlinux.org/AVG-966
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
CVE-2019-9816 Exploit https://bugs.chromium.org/p/project-zero/issues/detail?id=1808
CVE-2019-9816 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/dos/46940.txt
CVE-2019-9816 https://nvd.nist.gov/vuln/detail/CVE-2019-9816
mfsa2019-13 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13
mfsa2019-14 https://www.mozilla.org/en-US/security/advisories/mfsa2019-14
mfsa2019-15 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15
Data source Exploit-DB
Date added May 29, 2019
Description Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation
Ransomware campaign use Known
Source publication date May 29, 2019
Exploit type dos
Platform multiple
Source update date May 29, 2019
Source URL https://bugs.chromium.org/p/project-zero/issues/detail?id=1808
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9816.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-9816
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-9816
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.94525
EPSS Score 0.28765
Published At March 29, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.