Vulnerability CVE-2019-9798


Published: 2019-04-26

Description:
On Android systems, Firefox can load a library from APITRACE_LIB, which is writable by all users and applications. This could allow malicious third party applications to execute a man-in-the-middle attack if a malicious code was written to that location and loaded. *Note: This issue only affects Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 66.

Type:

CWE-254

(Security Features)

Vendor: Mozilla
Product: Firefox 
Version:
9.0.1
9.0
8.0.1
8.0
7.0.1
7.0
65.0
64.0.2
64.0
63.0.3
63.0.1
63.0
62.0.3
62.0.2
62.0
61.0.2
61.0.1
61.0
60.6.1
60.5.0
60.4.0
60.3.0
60.2.2
60.2.1
60.2.0
60.1.0
60.0.2
60.0.1
60.0
6.0.2
6.0.1
6.0
59.0.3
59.0.2
59.0.1
59.0
58.0.2
58.0.1
58.0
57.0.4
57.0.3
57.0.2
57.0.1
57.0
56.0.2
56.0.1
56.0
55.0.3
55.0.2
55.0.1
55.0
54.0.1
54.0
53.0.3
53.0.2
53.0
52.9.0
52.8.1
52.8.0
52.7.4
52.7.3
52.7.2
52.7.1
52.7.0
52.6.0
52.5.3
52.5.2
52.5.0
52.4.1
52.4.0
52.3.0
52.2.1
52.2.0
52.1.2
52.1.1
52.1.0
52.0.2
52.0.1
52.0
51.0.1
51.0
50.0.2
50.0.1
50.0
5.0.1
5.0
49.0.2
49.0.1
49.0
48.0.2
48.0.1
48.0
47.0.2
47.0.1
47.0
46.0.1
46.0
45.9.0
45.8.0
45.7.0
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.8/10
4.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None

 References:
https://bugzilla.mozilla.org/show_bug.cgi?id=1527534
https://www.mozilla.org/security/advisories/mfsa2019-07/

Related CVE
CVE-2019-9821
A use-after-free vulnerability can occur in AssertWorkerThread due to a race condition with shared workers. This results in a potentially exploitable crash. This vulnerability affects Firefox < 67.
CVE-2019-9820
A use-after-free vulnerability can occur in the chrome event handler when it is freed while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7.
CVE-2019-9819
A vulnerability where a JavaScript compartment mismatch can occur while working with the fetch API, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7.
CVE-2019-9817
Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and ...
CVE-2019-9816
A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with Unboxed...
CVE-2019-9815
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sy...
CVE-2019-9814
Mozilla developers and community members reported memory safety bugs present in Firefox 66. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. Th...
CVE-2019-9811
As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < ...

Copyright 2019, cxsecurity.com

 

Back to Top