Vulnerability Description
If a Sandbox content process is compromised, it can initiate an FTP download which will then use a child process to render the downloaded data. The downloaded data can then be passed to the Chrome process with an arbitrary file length supplied by an attacker, bypassing sandbox protections and allow for a potential memory read of adjacent data from the privileged Chrome process, which may include sensitive data. This vulnerability affects Firefox < 66.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 66.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1415508Issue TrackingVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2019-07/Vendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1415508Issue TrackingVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2019-07/Vendor Advisory
FAQ
What is CVE-2019-9802?
CVE-2019-9802 is a vulnerability with a CVSS score of 7.5 (HIGH). If a Sandbox content process is compromised, it can initiate an FTP download which will then use a child process to render the downloaded data. The downloaded data can then be passed to the Chrome pro...
How severe is CVE-2019-9802?
CVE-2019-9802 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-9802?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox.