cnvd - cnvd-2019-32237

cnvd-2019-32237

Vulnerability from cnvd

Title

Mozilla Firefox和Mozilla Firefox ESR权限提升漏洞

Description

Mozilla Firefox和Mozilla Firefox ESR都是美国Mozilla基金会的产品。Mozilla Firefox是一款开源Web浏览器。Mozilla Firefox ESR是Firefox(Web浏览器)的一个延长支持版本。基于Windows平台的Mozilla Firefox 69之前版本、Mozilla Firefox ESR 68.1之前版本和Firefox ESR 60.9之前版本中存在安全漏洞。攻击者可利用该漏洞提升权限。

Severity

高

Patch Name

Mozilla Firefox和Mozilla Firefox ESR权限提升漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-11753

Impacted products

Name
['Mozilla Firefox <69', 'Firefox Firefox < 69', 'Mozilla Firefox ESR <68.1', 'Mozilla Firefox ESR <60.9']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-11753",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-11753"
    }
  },
  "description": "Mozilla Firefox\u548cMozilla Firefox ESR\u90fd\u662f\u7f8e\u56fdMozilla\u57fa\u91d1\u4f1a\u7684\u4ea7\u54c1\u3002Mozilla Firefox\u662f\u4e00\u6b3e\u5f00\u6e90Web\u6d4f\u89c8\u5668\u3002Mozilla Firefox ESR\u662fFirefox(Web\u6d4f\u89c8\u5668)\u7684\u4e00\u4e2a\u5ef6\u957f\u652f\u6301\u7248\u672c\u3002\n\n\u57fa\u4e8eWindows\u5e73\u53f0\u7684Mozilla Firefox 69\u4e4b\u524d\u7248\u672c\u3001Mozilla Firefox ESR 68.1\u4e4b\u524d\u7248\u672c\u548cFirefox ESR 60.9\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u5347\u6743\u9650\u3002",
  "discovererName": "Holger Fuhrmannek",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2019-25/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-32237",
  "openTime": "2019-09-20",
  "patchDescription": "Mozilla Firefox\u548cMozilla Firefox ESR\u90fd\u662f\u7f8e\u56fdMozilla\u57fa\u91d1\u4f1a\u7684\u4ea7\u54c1\u3002Mozilla Firefox\u662f\u4e00\u6b3e\u5f00\u6e90Web\u6d4f\u89c8\u5668\u3002Mozilla Firefox ESR\u662fFirefox(Web\u6d4f\u89c8\u5668)\u7684\u4e00\u4e2a\u5ef6\u957f\u652f\u6301\u7248\u672c\u3002\r\n\r\n\u57fa\u4e8eWindows\u5e73\u53f0\u7684Mozilla Firefox 69\u4e4b\u524d\u7248\u672c\u3001Mozilla Firefox ESR 68.1\u4e4b\u524d\u7248\u672c\u548cFirefox ESR 60.9\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u5347\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Mozilla Firefox\u548cMozilla Firefox ESR\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Mozilla Firefox \u003c69",
      "Firefox Firefox \u003c 69",
      "Mozilla Firefox ESR \u003c68.1",
      "Mozilla Firefox ESR \u003c60.9"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-11753",
  "serverity": "\u9ad8",
  "submitTime": "2019-09-09",
  "title": "Mozilla Firefox\u548cMozilla Firefox ESR\u6743\u9650\u63d0\u5347\u6f0f\u6d1e"
}

CVE-2019-11753 (GCVE-0-2019-11753)

Vulnerability from cvelistv5

Published

2019-09-27 17:13

Modified

2024-08-04 23:03

Severity ?

CWE

Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location

Summary

The Firefox installer allows Firefox to be installed to a custom user writable location, leaving it unprotected from manipulation by unprivileged users or malware. If the Mozilla Maintenance Service is manipulated to update this unprotected location and the updated maintenance service in the unprotected location has been altered, the altered maintenance service can run with elevated privileges during the update process due to a lack of integrity checks. This allows for privilege escalation if the executable has been replaced locally. <br>*Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.*. This vulnerability affects Firefox < 69, Firefox ESR < 60.9, and Firefox ESR < 68.1.

References

URL

Tags

	https://bugzilla.mozilla.org/show_bug.cgi?id=1574980	x_refsource_MISC
	https://www.mozilla.org/security/advisories/mfsa2019-25/	x_refsource_CONFIRM
	https://www.mozilla.org/security/advisories/mfsa2019-27/	x_refsource_CONFIRM
	https://www.mozilla.org/security/advisories/mfsa2019-26/	x_refsource_CONFIRM
	http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html	vendor-advisory, x_refsource_SUSE

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Version: unspecified < 69

Mozilla

Firefox ESR

Version: unspecified < 60.9
Version: unspecified < 68.1

Show details on NVD website