CVE-2017-5456Incorrect Permission Assignment in Mozilla Firefox

CWE-732Incorrect Permission Assignment8 documents8 sources
Severity
9.8CRITICALNVD
EPSS
0.3%
top 42.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Mozilla FirefoxMozilla Firefox ESRRedhat Enterprise Linux+5 more
Timeline
PublishedJun 11
Latest updateMay 13

Description

A mechanism to bypass file system access protections in the sandbox using the file system request constructor through an IPC message. This allows for read and write access to the local file system. This vulnerability affects Firefox ESR < 52.1 and Firefox < 53.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

CVEListV5mozilla/firefoxunspecified53
NVDmozilla/firefox< 53.0+1
CVEListV5mozilla/firefox_esrunspecified52.1
Ubuntumozilla/firefox< 53.0+build6-0ubuntu0.14.04.1+1

Also affects: Enterprise Linux 7.0, 7.3, 7.4, 7.5

Patches

Patch: bugzilla.mozilla.orgPatch: bugzilla.mozilla.org

🔴Vulnerability Details

3
GHSA
GHSA-59p4-f6m8-9792: A mechanism to bypass file system access protections in the sandbox using the file system request constructor through an IPC message2022-05-13
CVEList
CVE-2017-5456: A mechanism to bypass file system access protections in the sandbox using the file system request constructor through an IPC message2018-06-11
OSV
CVE-2017-5456: A mechanism to bypass file system access protections in the sandbox using the file system request constructor through an IPC message2017-04-20

📋Vendor Advisories

3
Ubuntu
Firefox vulnerabilities2017-04-21
Red Hat
Mozilla: Sandbox escape allowing local file system read access (MFSA 2017-12)2017-04-19
Debian
CVE-2017-5456: firefox - A mechanism to bypass file system access protections in the sandbox using the fi...2017

💬Community

1
Bugzilla
CVE-2017-5456 Mozilla: Sandbox escape allowing local file system read access (MFSA 2017-12)2017-04-19
CVE-2017-5456 — Incorrect Permission Assignment | cvebase