Main Vulnerability Database Vulnerabilities #VU6335

Sendbox bypass in Mozilla Firefox and Firefox ESR - CVE-2017-5456

Published: April 19, 2017

Vulnerability identifier: #VU6335

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-5456

CWE-ID: CWE-265

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Mozilla

Affected software:
Mozilla Firefox
Firefox ESR

Detailed vulnerability description

The vulnerability allows a remote attacker to read files from local filesystem.

The vulnerability exists due to an error in sendbox implementation. A remote attacker can bypass file system access protections in the sandbox using the file system request constructor through an IPC message.

Successful exploitation of the vulnerability may allow an attacker to read arbitrary files from the vulnerable system.

How to mitigate CVE-2017-5456

Update to Firefox 53 or Firefox ESR 52.1.

Sendbox bypass in Mozilla Firefox and Firefox ESR - CVE-2017-5456

Detailed vulnerability description

How to mitigate CVE-2017-5456

Sources

Please verify you're human