#VU18040 Permissions, Privileges, and Access Controls in Mozilla Firefox - CVE-2019-9802
Published: March 21, 2019
Vulnerability identifier: #VU18040
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-9802
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Mozilla Firefox
Mozilla Firefox
Software vendor:
Mozilla
Mozilla
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper handling of FTP downloads. A remote attacker can trick the victim to open a specially crafted web page and initiate an FTP download which will then use a child process to render the downloaded data. The downloaded data can then be passed to the Chrome process with an arbitrary file length supplied by an attacker, bypassing sandbox protections and allow for a potential memory read of adjacent data from the privileged Chrome process.
Remediation
Install updates from vendor's website.