Main Vulnerability Database Vulnerabilities #VU6333

Sendbox bypass in Mozilla Firefox and Firefox ESR - CVE-2017-5454

Published: April 19, 2017

Vulnerability identifier: #VU6333

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-5454

CWE-ID: CWE-265

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Mozilla

Affected software:
Mozilla Firefox
Firefox ESR

Detailed vulnerability description

The vulnerability allows a remote attacker to read files from local filesystem.

The vulnerability exists due to an error in sendbox implementation. A remote attacker can use the file picker to access different files than those selected in the file picker through the use of relative paths.

Successful exploitation of the vulnerability may allow an attacker to read arbitrary files from the vulnerable system.

How to mitigate CVE-2017-5454

Update to Firefox 53 or Firefox ESR 52.1.

Sendbox bypass in Mozilla Firefox and Firefox ESR - CVE-2017-5454

Detailed vulnerability description

How to mitigate CVE-2017-5454

Sources

Please verify you're human