CVE-2019-9804OS Command Injection in Mozilla Firefox

CWE-78OS Command InjectionCWE-20Improper Input Validation6 documents6 sources
Severity
9.8CRITICALNVD
EPSS
1.2%
top 21.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxDebian Firefox
Timeline
PublishedApr 26
Latest updateMay 24

Description

In Firefox Developer Tools it is possible that pasting the result of the 'Copy as cURL' command into a command shell on macOS will cause the execution of unintended additional bash script commands if the URL was maliciously crafted. This is the result of an issue with the native version of Bash on macOS. *Note: This issue only affects macOS. Other operating systems are unaffected.*. This vulnerability affects Firefox < 66.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

CVEListV5mozilla/firefoxunspecified66
NVDmozilla/firefox< 66.0

🔴Vulnerability Details

2
GHSA
GHSA-448w-rf52-mp55: In Firefox Developer Tools it is possible that pasting the result of the 'Copy as cURL' command into a command shell on macOS will cause the execution2022-05-24
OSV
CVE-2019-9804: In Firefox Developer Tools it is possible that pasting the result of the 'Copy as cURL' command into a command shell on macOS will cause the execution2019-04-26

📋Vendor Advisories

2
Debian
CVE-2019-9804: firefox - In Firefox Developer Tools it is possible that pasting the result of the 'Copy a...2019
Red Hat
struts: A regular expression Denial of Service when using URLValidator2017-09-05

💬Community

1
Bugzilla
CVE-2017-9804 struts: A regular expression Denial of Service when using URLValidator2017-09-05