CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
81.5%
Mozilla developer Daniel Veditz reported that when the jar: scheme is used to wrap a URI which serves the content with Content-Disposition: attachment, the HTTP header is ignored and the content is unpacked and displayed inline. A site may depend on this HTTP header to prevent potentially untrusted content that it serves from executing within the context of the site. An attacker could use this vulnerability to subvert sites using this mechanism to mitigate content injection attacks.