CVE-2017-7808Sensitive Information Exposure in Mozilla Firefox

CWE-200Sensitive Information ExposureCWE-346Origin Validation ErrorCWE-863Incorrect Authorization12 documents7 sources
Severity
5.3MEDIUMNVD
OSV9.1
EPSS
0.1%
top 68.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxDebian Firefox
Timeline
PublishedJun 11
Latest updateMay 14

Description

A content security policy (CSP) "frame-ancestors" directive containing origins with paths allows for comparisons against those paths instead of the origin. This results in a cross-origin information leak of this path information. This vulnerability affects Firefox < 55.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

debiandebian/firefox< firefox 55.0-1 (sid)
CVEListV5mozilla/firefoxunspecified55
NVDmozilla/firefox< 55.0
Ubuntumozilla/firefox< 55.0.1+build2-0ubuntu0.14.04.2+3

Patches

Patch: bugzilla.mozilla.orgPatch: bugzilla.mozilla.org

🔴Vulnerability Details

5
GHSA
GHSA-hgfv-gvcw-686v: A content security policy (CSP) "frame-ancestors" directive containing origins with paths allows for comparisons against those paths instead of the or2022-05-14
OSV
firefox regression2017-08-17
OSV
ubufox update2017-08-16
OSV
firefox vulnerabilities2017-08-15
OSV
CVE-2017-7808: A content security policy (CSP) "frame-ancestors" directive containing origins with paths allows for comparisons against those paths instead of the or2017-08-10

📋Vendor Advisories

5
Ubuntu
Firefox regression2017-08-17
Ubuntu
Ubufox update2017-08-16
Ubuntu
Firefox vulnerabilities2017-08-15
Red Hat
Mozilla: CSP information leak with frame-ancestors containing paths (MFSA 2017-18)2017-08-08
Debian
CVE-2017-7808: firefox - A content security policy (CSP) "frame-ancestors" directive containing origins w...2017

💬Community

1
Bugzilla
CVE-2017-7808 Mozilla: CSP information leak with frame-ancestors containing paths (MFSA 2017-18)2017-08-08