CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
52.0%
The Upgrade-Insecure-Requests (UIR) specification states that if UIR is
enabled through Content Security Policy (CSP), navigation to a same-origin
URL must be upgraded to HTTPS. Firefox will incorrectly navigate to an HTTP
URL rather than perform the security upgrade requested by the CSP in some
circumstances, allowing for potential man-in-the-middle attacks on the
linked resources. This vulnerability affects Firefox < 66.
Author | Note |
---|---|
tyhicks | mozjs contains a copy of the SpiderMonkey JavaScript engine |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | firefox | < 66.0+build3-0ubuntu0.18.04.1 | UNKNOWN |
ubuntu | 18.10 | noarch | firefox | < 66.0+build3-0ubuntu0.18.10.1 | UNKNOWN |
ubuntu | 19.04 | noarch | firefox | < 66.0+build3-0ubuntu1 | UNKNOWN |
ubuntu | 19.10 | noarch | firefox | < 66.0+build3-0ubuntu1 | UNKNOWN |
ubuntu | 20.04 | noarch | firefox | < 66.0+build3-0ubuntu1 | UNKNOWN |
ubuntu | 20.10 | noarch | firefox | < 66.0+build3-0ubuntu1 | UNKNOWN |
ubuntu | 21.04 | noarch | firefox | < 66.0+build3-0ubuntu1 | UNKNOWN |
ubuntu | 21.10 | noarch | firefox | < 66.0+build3-0ubuntu1 | UNKNOWN |
ubuntu | 22.04 | noarch | firefox | < 66.0+build3-0ubuntu1 | UNKNOWN |
ubuntu | 22.10 | noarch | firefox | < 66.0+build3-0ubuntu1 | UNKNOWN |
launchpad.net/bugs/cve/CVE-2019-9803
nvd.nist.gov/vuln/detail/CVE-2019-9803
security-tracker.debian.org/tracker/CVE-2019-9803
ubuntu.com/security/notices/USN-3918-1
ubuntu.com/security/notices/USN-3918-2
www.cve.org/CVERecord?id=CVE-2019-9803
www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9803
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
52.0%