CVE-2019-11737Insufficient Verification of Data Authenticity in Mozilla Firefox

CWE-345Insufficient Verification of Data AuthenticityCWE-358Improperly Implemented Security Check for Standard11 documents7 sources
Severity
5.3MEDIUMNVD
OSV9.8
EPSS
0.1%
top 67.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxDebian Firefox
Timeline
PublishedSep 27
Latest updateMay 24

Description

If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content. This vulnerability affects Firefox < 69.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

debiandebian/firefox< firefox 69.0-1 (sid)
CVEListV5mozilla/firefoxunspecified69
NVDmozilla/firefox< 69.0
Ubuntumozilla/firefox< 69.0+build2-0ubuntu0.16.04.4+3

🔴Vulnerability Details

4
GHSA
GHSA-fmq6-m827-77jc: If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignor2022-05-24
OSV
firefox regression2019-10-08
OSV
firefox vulnerabilities2019-09-04
OSV
CVE-2019-11737: If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignor2019-09-04

📋Vendor Advisories

4
Ubuntu
Firefox regression2019-10-08
Ubuntu
Firefox vulnerabilities2019-09-04
Red Hat
Mozilla: Content security policy directives ignore port and path if host is a wildcard2019-09-03
Debian
CVE-2019-11737: firefox - If a wildcard ('*') is specified for the host in Content Security Policy (CSP) d...2019

💬Community

2
Bugzilla
CVE-2019-11737 Mozilla: Content security policy directives ignore port and path if host is a wildcard2019-09-04
Bugzilla
Firefox 69.0 is available2019-09-03