Security Bulletin: WebSphere Cast Iron and App Connect Professional are affected by vulnerabilities in busybox, arpwatch, apr, acpid, augeas, firefox, ctdb.

Vulnerability Details

CVEID:   CVE-2019-11691
DESCRIPTION:   Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free when working with XMLHttpRequest (XHR) in an event loop. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161343 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:   CVE-2019-11692
DESCRIPTION:   Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free when listeners are removed from the event listener manager while still in use. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161344 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:   CVE-2019-11693
DESCRIPTION:   Mozilla Firefox is vulnerable to a denial of service, caused by a buffer overflow in the bufferdata function in WebGL. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161345 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:   CVE-2019-11711
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a script injection within domain through inner window reuse. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163503 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2019-11730
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by a same-origin policy that treats all files in a directory as having the same-origin. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to read attachments the victim received from other correspondents.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163515 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:   CVE-2019-11698
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to bypass security restrictions. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using drag and dropt to steal user history data.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:   CVE-2019-9820
DESCRIPTION:   Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free in the chrome event handler. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161341 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:   CVE-2019-11715
DESCRIPTION:   Mozilla Firefox is vulnerable to cross-site scripting, caused by improper validation of user-supplied input while parsing page content. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163508 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:   CVE-2019-9800
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161357 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2019-11712
DESCRIPTION:   Mozilla Firefox is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by NPAPI plugins. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to bypass CORS requirements. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163504 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:   CVE-2019-11713
DESCRIPTION:   Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free in HTTP/2 when a cached HTTP/2 stream is closed while still in use. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163505 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:   CVE-2019-11717
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by the improper escaping of caret character in origins. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof origin attributes.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163510 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:   CVE-2014-4607
DESCRIPTION:   Oberhumer LZO could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the lzo1x_decompress_safe() function when processing zero bytes. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/94014 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2012-2653
DESCRIPTION:   arpwatch could allow a local attacker to bypass security restrictions, caused by a failure to drop supplementary groups.
CVSS Base score: 2.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/76536 for the current score.
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2019-5798
DESCRIPTION:   Google Chrome could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read in Skia. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158047 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID:   CVE-2019-9797
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a cross-origin theft of images with createImageBitmap. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to bypass same-origin policy and obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158409 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID:   CVE-2019-9811
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error using the installation of a malicious language pack. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to escape the sandbox.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163502 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:   CVE-2019-11707
DESCRIPTION:   Mozilla Firefox and Firefox ESR are vulnerable to a denial of service, caused by a type confusion when manipulating JavaScript objects due to issues in Array.pop. By persuading a victim to open a specially-crafted Web page, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162711 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:   CVE-2019-11708
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using the Prompt:Open IPC message to open arbitrary content from a sandboxed child process to the non-sandboxed parent.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162774 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID:   CVE-2019-9817
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to obtain sensitive information. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using canvas to steal image data from a different site.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161339 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID:   CVE-2019-9816
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion when manipulating JavaScript objects in object groups. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161338 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2019-9819
DESCRIPTION:   Mozilla Firefox is vulnerable to a denial of service, caused by a JavaScript compartment mismatch can while working with the fetch API. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161340 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:   CVE-2019-11709
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163522 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2017-7555
DESCRIPTION:   Augeas is vulnerable to a heap-based buffer overflow. By sending specially crafted strings, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/130659 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2018-18511
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a cross-origin theft of images with ImageBitmapRenderingContext. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using the transferFromImageBitmap method to bypass same-origin policy and obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/156941 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)