CVE-2019-9803 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Access restriction bypass
Description	The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled through Content Security Policy (CSP), navigation to a same-origin URL must be upgraded to HTTPS. Firefox before 66.0 will incorrectly navigate to an HTTP URL rather than perform the security upgrade requested by the CSP in some circumstances, allowing for potential man-in-the-middle attacks on the linked resources.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-925	firefox	65.0.2-1	66.0-1	Critical	Fixed

Date	Advisory	Group	Package	Severity	Type
22 Mar 2019	ASA-201903-11	AVG-925	firefox	Critical	multiple issues

References
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9803 https://bugzilla.mozilla.org/show_bug.cgi?id=1515863 https://bugzilla.mozilla.org/show_bug.cgi?id=1437009 https://w3c.github.io/webappsec-upgrade-insecure-requests/

References

https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9803
https://bugzilla.mozilla.org/show_bug.cgi?id=1515863
https://bugzilla.mozilla.org/show_bug.cgi?id=1437009
https://w3c.github.io/webappsec-upgrade-insecure-requests/