CVE-2019-11696: Input Validation
First published: Tue May 21 2019(Updated: )
Files with the .JNLP extension used for "Java web start" applications are not treated as executable content for download prompts even though they can be executed if Java is installed on the local system. This could allow users to mistakenly launch an executable binary locally. This vulnerability affects Firefox < 67.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox | <67 | 67 |
| Mozilla Firefox | <67.0 | |
| ubuntu/firefox | <67.0+ | 67.0+ |
| ubuntu/firefox | <67.0+ | 67.0+ |
| ubuntu/firefox | <67.0+ | 67.0+ |
| ubuntu/firefox | <67.0+ | 67.0+ |
| ubuntu/firefox | <67.0+ | 67.0+ |
| ubuntu/firefox | <67.0+ | 67.0+ |
| ubuntu/firefox | <67.0+ | 67.0+ |
| ubuntu/firefox | <67.0+ | 67.0+ |
| ubuntu/firefox | <67.0+ | 67.0+ |
| ubuntu/firefox | <67.0+ | 67.0+ |
| ubuntu/firefox | <67.0+ | 67.0+ |
| ubuntu/firefox | <67.0+ | 67.0+ |
| ubuntu/firefox | <67.0+ | 67.0+ |
| ubuntu/firefox | <67.0 | 67.0 |
| ubuntu/firefox | <67.0+ | 67.0+ |
| debian/firefox | 125.0.3-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1392955
- https://www.mozilla.org/security/advisories/mfsa2019-13/
- https://launchpad.net/bugs/cve/CVE-2019-11696
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11693
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11696
- https://security-tracker.debian.org/tracker/CVE-2019-11696
- https://ubuntu.com/security/notices/USN-3991-1
- https://www.cve.org/CVERecord?id=CVE-2019-11696
- https://nvd.nist.gov/vuln/detail/CVE-2019-11696
- https://ubuntu.com/security/CVE-2019-11696
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is CVE-2019-11696?
CVE-2019-11696 is a vulnerability where files with the .JNLP extension used for Java web start applications are not treated as executable content for download prompts, allowing users to mistakenly launch an executable binary locally.
Which software is affected by CVE-2019-11696?
Mozilla Firefox versions up to and excluding 67.0, as well as certain versions of the Firefox package in Ubuntu and Debian, are affected by CVE-2019-11696.
What is the severity of CVE-2019-11696?
CVE-2019-11696 has a severity rating of high (7.8).
How can I fix CVE-2019-11696 in Mozilla Firefox?
To fix CVE-2019-11696 in Mozilla Firefox, update your browser to version 67.0 or higher.
Where can I find more information about CVE-2019-11696?
You can find more information about CVE-2019-11696 on the Mozilla Bugzilla and Mozilla Security Advisories websites.
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/severity
- agent/weakness
- agent/description
- agent/event
- collector/mozilla-advisory
- agent/software-canonical-lookup-request
- agent/references
- agent/tags
- source/Mozilla
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/mozilla
- canonical/mozilla firefox
- package-manager/debian
- package-manager/ubuntu