CVE-2019-9803 Information

Description

The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled through Content Security Policy (CSP) navigation to a same-origin URL must be upgraded to HTTPS. Firefox will incorrectly navigate to an HTTP URL rather than perform the security upgrade requested by the CSP in some circumstances allowing for potential man-in-the-middle attacks on the linked resources. This vulnerability affects Firefox 66.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Reference

https://bugzilla.mozilla.org/show_bug.cgi?id=1437009 https://bugzilla.mozilla.org/show_bug.cgi?id=1515863 https://w3c.github.io/webappsec-upgrade-insecure-requests/ https://www.mozilla.org/security/advisories/mfsa2019-07/

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.4