Lucene search

K
archlinuxArchLinuxASA-201906-20
HistoryJun 25, 2019 - 12:00 a.m.

[ASA-201906-20] firefox: sandbox escape

2019-06-2500:00:00
security.archlinux.org
28

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.025

Percentile

90.4%

Arch Linux Security Advisory ASA-201906-20

Severity: High
Date : 2019-06-25
CVE-ID : CVE-2019-11708
Package : firefox
Type : sandbox escape
Remote : Yes
Link : https://security.archlinux.org/AVG-997

Summary

The package firefox before version 67.0.4-1 is vulnerable to sandbox
escape.

Resolution

Upgrade to 67.0.4-1.

pacman -Syu “firefox>=67.0.4-1”

The problem has been fixed upstream in version 67.0.4.

Workaround

None.

Description

An issue has been found in Firefox before 67.0.4, where an insufficient
vetting of parameters passed with the Prompt:Open IPC message between
child and parent processes can result in the non-sandboxed parent
process opening web content chosen by a compromised child process. When
combined with additional vulnerabilities this could result in executing
arbitrary code on the user’s computer.

Impact

An attacker could use this vulnerability, combined with another one, to
bypass the sandbox and execute arbitrary code on the host.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/#CVE-2019-11708
https://bugzilla.mozilla.org/show_bug.cgi?id=1559858
https://security.archlinux.org/CVE-2019-11708

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyfirefox< 67.0.4-1UNKNOWN

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.025

Percentile

90.4%