PT-2019-19874 · Gnu+2 · Bash+2
Potatoe
·
Published
2019-04-01
·
Updated
2024-12-12
·
CVE-2019-9804
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Firefox versions prior to 66
Description
The issue arises when the result of the 'Copy as cURL' command in Firefox Developer Tools is pasted into a command shell on macOS, potentially leading to the execution of unintended additional bash script commands if the URL was maliciously crafted. This is due to a problem with the native version of Bash on macOS. The issue is exclusive to macOS, with other operating systems being unaffected.
Recommendations
For Firefox versions prior to 66, update to version 66 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the 'Copy as cURL' command in Firefox Developer Tools when working with potentially malicious URLs on macOS.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Bash
Firefox