First published: Tue May 21 2019(Updated: )
Files with the .JNLP extension used for "Java web start" applications are not treated as executable content for download prompts even though they can be executed if Java is installed on the local system. This could allow users to mistakenly launch an executable binary locally.
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Firefox | <67 | 67 |
Mozilla Firefox | <67.0 | |
debian/firefox | 133.0.3-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2019-11696 is a vulnerability where files with the .JNLP extension used for Java web start applications are not treated as executable content for download prompts, allowing users to mistakenly launch an executable binary locally.
Mozilla Firefox versions up to and excluding 67.0, as well as certain versions of the Firefox package in Ubuntu and Debian, are affected by CVE-2019-11696.
CVE-2019-11696 has a severity rating of high (7.8).
To fix CVE-2019-11696 in Mozilla Firefox, update your browser to version 67.0 or higher.
You can find more information about CVE-2019-11696 on the Mozilla Bugzilla and Mozilla Security Advisories websites.