Improperly implemented security check for standard in firefox (Alpine package)



Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-17020
CWE-ID CWE-358
Exploitation vector Network
Public exploit N/A
Vulnerable software
 firefox (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Improperly implemented security check for standard

EUVDB-ID: #VU24058

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-17020

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to incorrect implementation of Content Security Policy that is not enforced for XSL stylesheets applied to XML documents. If the XSL sheet e.g. includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document.

Successful exploitation of the vulnerability may allow an attacker to bypass security restrictions that rely on Content Security Policy and perform dangerous actions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

firefox (Alpine package): 68.0.2-r0 - 71.0-r1

CPE2.3 External links

https://git.alpinelinux.org/aports/commit/?id=af0d1d1edd77beb85efb9bbf0ad15000eb319170


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###