CVE-2017-5456

moderate-risk

Published 2018-06-11

A mechanism to bypass file system access protections in the sandbox using the file system request constructor through an IPC message. This allows for read and write access to the local file system. This vulnerability affects Firefox ESR < 52.1 and Firefox < 53.

Do I need to act?

0.35% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (10)

Enterprise Linux

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Server Eus

Enterprise Linux Workstation

Firefox

Affected Vendors

Redhat Mozilla

References (12)

Third Party Advisory http://www.securityfocus.com/bid/97940

Third Party Advisory http://www.securitytracker.com/id/1038320

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:1106

Exploit https://bugzilla.mozilla.org/show_bug.cgi?id=1344415

Vendor Advisory https://www.mozilla.org/security/advisories/mfsa2017-10/

Vendor Advisory https://www.mozilla.org/security/advisories/mfsa2017-12/

Third Party Advisory http://www.securityfocus.com/bid/97940

Third Party Advisory http://www.securitytracker.com/id/1038320

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:1106

Exploit https://bugzilla.mozilla.org/show_bug.cgi?id=1344415

Vendor Advisory https://www.mozilla.org/security/advisories/mfsa2017-10/

Vendor Advisory https://www.mozilla.org/security/advisories/mfsa2017-12/

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 1/34 · Minimal

Exposure 16/34 · Moderate