VDB
CVE-2019-9803
CVE-2019-9803
PUBLISHED
The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled through Content Security Policy (CSP), navigation to a same-origin URL must be upgraded to HTTPS. Firefox will incorrectly navigate to an HTTP URL rather than perform the security upgrade requested by the CSP in some circumstances, allowing for potential man-in-the-middle attacks on the linked resources. This vulnerability affects Firefox < 66.
EPSS 0.12% · 30.9th percentile
Risk Scores
EPSS Score
0.12%
30.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | firefox | *, 64.0+build3-0ubuntu0.18.04.1, 65.0+build2-0ubuntu0.18.04.1 |
| Ubuntu:20.04:LTS | mozjs52 | 0, 52.9.1-1build1, 52.9.1-1ubuntu3 |
| Ubuntu:14.04:LTS | firefox | 40.0+build4-0ubuntu0.14.04.4, 40.0.3+build1-0ubuntu0.14.04.1, 41.0.1+build2-0ubuntu0.14.04.1 |
| Ubuntu:18.04:LTS | mozjs38 | *, 38.8.0~repack1-0ubuntu4, 38.8.0~repack1-0ubuntu1 |
| Ubuntu:16.04:LTS | firefox | 50.0.2+build1-0ubuntu0.16.04.1, 50.1.0+build2-0ubuntu0.16.04.1, 51.0.1+build2-0ubuntu0.16.04.2 |
| Ubuntu:18.04:LTS | mozjs52 | 0, 52.8.1-0ubuntu0.18.04.1, 52.3.1-0ubuntu3 |
Timeline
- Mar 20, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-9803 third-party-advisory
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9803 third-party-advisory
- https://ubuntu.com/security/notices/USN-3918-1 vendor-advisory
- https://ubuntu.com/security/notices/USN-3918-2 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-9803 third-party-advisory