1790800 – (CVE-2019-17020) CVE-2019-17020 Mozilla: Content Security Policy bypass for XSL stylesheet

Bug 1790800 (CVE-2019-17020) - CVE-2019-17020 Mozilla: Content Security Policy bypass for XSL stylesheet

Summary: CVE-2019-17020 Mozilla: Content Security Policy bypass for XSL stylesheet

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2019-17020
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1787590
TreeView+	depends on / blocked

Reported:	2020-01-14 08:55 UTC by Marian Rehak
Modified:	2020-02-06 08:09 UTC (History)
CC List:	4 users (show)
Fixed In Version:	firefox 68.4, thunderbird 68.4.1
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-02-06 08:09:34 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2020-01-14 08:55:03 UTC

If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g. includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document. This vulnerability affects Firefox < 72.

Upstream Advisory:

https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17020

Comment 1 Product Security DevOps Team 2020-02-06 08:09:34 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-17020

Note You need to log in before you can comment on or make changes to this bug.