Main Vulnerability Database Vulnerabilities #VU39669

Missing Authorization in firejail - CVE-2017-5180

Published: February 9, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU39669

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-5180

CWE-ID: CWE-862

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: firejail.wordpress.com

Affected software:
firejail

Detailed vulnerability description

The vulnerability allows a local authenticated user to execute arbitrary code.

Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option.

How to mitigate CVE-2017-5180

Install update from vendor's website.

Sources

http://openwall.com/lists/oss-security/2017/01/04/2
http://www.securityfocus.com/bid/95298
https://firejail.wordpress.com/download-2/release-notes/
https://security.gentoo.org/glsa/201701-62

Missing Authorization in firejail - CVE-2017-5180

Detailed vulnerability description

How to mitigate CVE-2017-5180

Sources

Please verify you're human