CVE-2019-17019Improper Input Validation in Mozilla Firefox

CWE-20Improper Input Validation6 documents6 sources
Severity
8.8HIGHNVD
EPSS
0.5%
top 34.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxDebian Firefox
Timeline
PublishedJan 8
Latest updateMay 24

Description

When Python was installed on Windows, a python file being served with the MIME type of text/plain could be executed by Python instead of being opened as a text file when the Open option was selected upon download. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 72.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

NVDmozilla/firefox< 72.0
CVEListV5mozilla/firefoxbefore 72
mozillamozilla/firefox

🔴Vulnerability Details

2
GHSA
GHSA-r75w-mj28-6x5x: When Python was installed on Windows, a python file being served with the MIME type of text/plain could be executed by Python instead of being opened2022-05-24
OSV
CVE-2019-17019: When Python was installed on Windows, a python file being served with the MIME type of text/plain could be executed by Python instead of being opened2020-01-08

📋Vendor Advisories

2
Debian
CVE-2019-17019: firefox - When Python was installed on Windows, a python file being served with the MIME t...2019
Mozilla
Mozilla Foundation Security Advisory 2020-01: CVE-2019-17019

💬Community

1
Bugzilla
On Windows, python files get executed instead of opened by notepad, because both Windows and the network suggest the file is text/plain, but ShellExecuteW will then open the file with python2019-07-22