Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-15660: Release 0.27.0 · mozilla/geckodriver

Missing checks on Content-Type headers in geckodriver before 0.27.0 could lead to a CSRF vulnerability, that might, when paired with a specifically prepared request, lead to remote code execution.

CVE
#csrf#vulnerability#web#android#mac#windows#apple#linux
  1. Releases
  2. v0.27.0

0.27.0 (2020-07-27, 7b8c4f32cdde)****Security Fixes

  • CVE-2020-15660

    • Added additional checks on the Content-Type header for POST requests to disallow application/x-www-form-urlencoded, multipart/form-data and text/plain.

    • Added checking of the Origin header for POST requests.

    • The version number of Firefox is now checked when establishing a session.

Known problems

  • macOS 10.15 (Catalina):

    Due to the requirement from Apple that all programs must be notarized, geckodriver will not work on Catalina if you manually download it through another notarized program, such as Firefox.

    Whilst we are working on a repackaging fix for this problem, you can find more details on how to work around this issue in the macOS notarization section of the documentation.

  • Android:

    Marionette will only be enabled in GeckoView based applications when the
    Firefox preference devtools.debugger.remote-enabled is set to True via
    moz:firefoxOptions. This will be fixed in the Firefox 90 release for Android.

    In some cases geckodriver could crash due to a stack overflow when handling
    certain device errors.

Added

  • To set environment variables for the launched Firefox for Android, it is now possible to add an env object on moz:firefoxOptions (note: this is not supported for Firefox Desktop)

  • Support for print-to-PDF

    The newly standardised WebDriver [Print] endpoint provides a way to render pages to a paginated PDF representation. This endpoint is supported by geckodriver when using Firefox version ≥78.

  • Support for same-site cookies

    Cookies can now be set with a same-site parameter, and the value of that parameter will be returned when cookies are retrieved. Requires Firefox version ≥79. Thanks to Peter Major for the patch.

Fixed

  • Android:

    • Firefox running on Android devices can now be controlled from a Windows host.

    • Setups with multiple connected Android devices are now supported.

    • Improved cleanup of configuration files. This prevents crashes if the application is started manually after launching it through geckodriver.

  • Windows and Linux binaries are again statically linked.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907