CVE-2017-5397 — Inclusion of Functionality from Untrusted Control Sphere in Mozilla Firefox

CWE-829 — Inclusion of Functionality from Untrusted Control Sphere3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.5%

top 32.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedJun 11

Latest updateMay 13

Description

The cache directory on the local file system is set to be world writable. Firefox defaults to extracting libraries from this cache. This allows for the possibility of an installed malicious application or tools with write access to the file system to replace files used by Firefox with their own versions. This vulnerability affects Firefox < 51.0.3.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5mozilla/firefoxunspecified — 51.0.3

▶NVDmozilla/firefox< 51.0.3

▶debiandebian/firefox

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-5h8g-78mr-f4g5: The cache directory on the local file system is set to be world writable↗2022-05-13

▶

📋Vendor Advisories

Debian

CVE-2017-5397: firefox - The cache directory on the local file system is set to be world writable. Firefo...↗2017

▶