First published: Tue Mar 19 2019(Updated: )
If a Sandbox content process is compromised, it can initiate an FTP download which will then use a child process to render the downloaded data. The downloaded data can then be passed to the Chrome process with an arbitrary file length supplied by an attacker, bypassing sandbox protections and allow for a potential memory read of adjacent data from the privileged Chrome process, which may include sensitive data.
Credit: security@mozilla.org security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Firefox | <66 | 66 |
Mozilla Firefox | <66.0 | |
debian/firefox | 133.0.3-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2019-9802 is a vulnerability that allows a compromised Sandbox content process in Mozilla Firefox to bypass sandbox protections and initiate an FTP download with an arbitrary file length supplied by an attacker.
CVE-2019-9802 has a severity rating of 7.5, which is considered high.
CVE-2019-9802 affects Mozilla Firefox version 66 up to exclusive version 66, as well as Ubuntu packages of Firefox version 66.0+.
To fix CVE-2019-9802 in Mozilla Firefox, update to version 66 or higher.
Yes, you can find references for CVE-2019-9802 at the following links: [Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1415508), [Mozilla Security Advisories](https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/)