Bug 1728438 (CVE-2019-11730) - CVE-2019-11730 Mozilla: Same-origin policy treats all files in a directory as having the same-origin
Summary: CVE-2019-11730 Mozilla: Same-origin policy treats all files in a directory as...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11730
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1726061 1726062 1726063 1726064 1726065 1726882 1726883 1726884 1726885 1726886
Blocks: 1726057
TreeView+ depends on / blocked
 
Reported: 2019-07-10 00:27 UTC by Doran Moppert
Modified: 2019-09-29 15:16 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-12 13:08:41 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1763 None None None 2019-07-11 17:55:53 UTC
Red Hat Product Errata RHSA-2019:1764 None None None 2019-07-11 17:19:44 UTC
Red Hat Product Errata RHSA-2019:1765 None None None 2019-07-11 17:51:57 UTC
Red Hat Product Errata RHSA-2019:1775 None None None 2019-07-15 12:41:02 UTC
Red Hat Product Errata RHSA-2019:1777 None None None 2019-07-15 13:35:13 UTC
Red Hat Product Errata RHSA-2019:1799 None None None 2019-07-16 20:27:06 UTC

Description Doran Moppert 2019-07-10 00:27:42 UTC
A vulnerability exists where if a user opens a locally saved HTML file, this file can use `file:` URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. Luigi Gubello demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents.



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11730

Comment 1 Doran Moppert 2019-07-10 00:27:45 UTC
Acknowledgments:

Name: the Mozilla project
Upstream: Luigi Gubello

Comment 2 errata-xmlrpc 2019-07-11 17:19:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1764 https://access.redhat.com/errata/RHSA-2019:1764

Comment 3 errata-xmlrpc 2019-07-11 17:51:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1765 https://access.redhat.com/errata/RHSA-2019:1765

Comment 4 errata-xmlrpc 2019-07-11 17:55:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1763 https://access.redhat.com/errata/RHSA-2019:1763

Comment 5 Product Security DevOps Team 2019-07-12 13:08:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11730

Comment 6 errata-xmlrpc 2019-07-15 12:41:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1775 https://access.redhat.com/errata/RHSA-2019:1775

Comment 7 errata-xmlrpc 2019-07-15 13:35:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1777 https://access.redhat.com/errata/RHSA-2019:1777

Comment 8 errata-xmlrpc 2019-07-16 20:27:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1799 https://access.redhat.com/errata/RHSA-2019:1799


Note You need to log in before you can comment on or make changes to this bug.