Vulnerability CVE-2019-11737

Vulnerability Name:

CVE-2019-11737 (CCN-166395)

Assigned:

2019-09-03

Published:

2019-09-03

Updated:

2019-10-02

Summary:

If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content. This vulnerability affects Firefox < 69.

CVSS v3 Severity:

5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-345

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2019-11737

Source: MISC
Type: Issue Tracking, Permissions Required, Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1388015

Source: XF
Type: UNKNOWN
firefox-cve201911737-sec-bypass(166395)

Source: CCN
Type: Mozilla Foundation Security Advisory 2019-25
Security vulnerabilities fixed in Firefox 69

Source: CONFIRM
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-25/

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version < 69.0)

Configuration CCN 1:

cpe:/a:mozilla:firefox:68.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:111899	P	MozillaFirefox-92.0-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105476	P	MozillaFirefox-92.0-1.2 on GA media (Moderate)	2021-10-01
oval:com.ubuntu.disco:def:2019117370000000	V	CVE-2019-11737 on Ubuntu 19.04 (disco) - low.	2019-09-27
oval:com.ubuntu.bionic:def:2019117370000000	V	CVE-2019-11737 on Ubuntu 18.04 LTS (bionic) - low.	2019-09-27
oval:com.ubuntu.xenial:def:2019117370000000	V	CVE-2019-11737 on Ubuntu 16.04 LTS (xenial) - low.	2019-09-27

BACK