Improper validation of integrity check value in firefox-esr (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-11753 |
| CWE-ID | CWE-354 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
firefox-esr (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Improper validation of integrity check value
EUVDB-ID: #VU20822
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11753
CWE-ID:
CWE-354 - Improper Validation of Integrity Check Value
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the Mozilla Maintenance Service does not check integrity of the binary files that were installed into a custom and unprotected folder on the system. A local user can manipulate the Mozilla Maintenance Service to update this unprotected location and escalate privilege on the system.
Note, the vulnerability affects Windows installation only.
MitigationInstall update from vendor's website.
Vulnerable software versionsfirefox-esr (Alpine package): 60.4.0-r0 - 68.11.0-r0
External linkshttp://git.alpinelinux.org/aports/commit/?id=df118d5706ba2d60b54d1285b0c2544abd2dc984
http://git.alpinelinux.org/aports/commit/?id=ebf9184f5bbef1f9faab710ffb48bb36b5bae10e
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
