CVE-2017-5454: Infoleak
First published: Wed Apr 19 2017(Updated: )
A mechanism to bypass file system access protections in the sandbox to use the file picker to access different files than those selected in the file picker through the use of relative paths. This allows for read only access to the local file system.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Thunderbird | <52.1 | 52.1 |
| Mozilla Firefox ESR | <52.1 | 52.1 |
| Mozilla Firefox | <53 | 53 |
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux Server | =6.0 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Server | =7.3 | |
| Red Hat Enterprise Linux Server | =7.4 | |
| Red Hat Enterprise Linux Server | =7.3 | |
| Red Hat Enterprise Linux Server | =7.4 | |
| Red Hat Enterprise Linux Server | =7.5 | |
| Redhat Enterprise Linux Workstation | =6.0 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| Mozilla Firefox | <53.0 | |
| Mozilla Firefox ESR | <52.1.0 | |
| Mozilla Thunderbird | <52.1.0 | |
| debian/firefox | 135.0-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1349276
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/
- https://www.mozilla.org/security/advisories/mfsa2017-10/
- https://www.mozilla.org/security/advisories/mfsa2017-12/
- https://www.mozilla.org/security/advisories/mfsa2017-13/
- https://access.redhat.com/errata/RHSA-2017:1106
- https://access.redhat.com/errata/RHSA-2017:1201
- http://www.securityfocus.com/bid/97940
- http://www.securitytracker.com/id/1038320
- https://launchpad.net/bugs/cve/CVE-2017-5454
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/#CVE-2017-5454
- https://bugzilla.redhat.com/show_bug.cgi?id=1443338
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/#CVE-2017-5461
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/
- https://security-tracker.debian.org/tracker/CVE-2017-5454
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5454
- https://nvd.nist.gov/vuln/detail/CVE-2017-5454
- https://ubuntu.com/security/CVE-2017-5454
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2017-5433
- CVE-2017-5435
- CVE-2017-5436
- CVE-2017-5461
- CVE-2017-5459
- CVE-2017-5466
- CVE-2017-5434
- CVE-2017-5432
- CVE-2017-5460
- CVE-2017-5438
- CVE-2017-5439
- CVE-2017-5440
- CVE-2017-5441
- CVE-2017-5442
- CVE-2017-5464
- CVE-2017-5443
- CVE-2017-5444
- CVE-2017-5446
- CVE-2017-5447
- CVE-2017-5465
- CVE-2016-10196
- CVE-2017-5454
- CVE-2017-5469
- CVE-2017-5445
- CVE-2017-5449
- CVE-2017-5451
- CVE-2017-5462
- CVE-2017-5467
- CVE-2017-5430
- CVE-2017-5429
- CVE-2017-5448
- CVE-2017-5455
- CVE-2017-5456
- CVE-2017-5450
- CVE-2017-5463
- CVE-2017-5452
- CVE-2017-5453
- CVE-2017-5458
- CVE-2017-5468
Frequently Asked Questions
What is the severity of CVE-2017-5454?
CVE-2017-5454 is classified as a high severity vulnerability due to its potential to bypass file system access protections.
How do I fix CVE-2017-5454?
To mitigate CVE-2017-5454, update affected software such as Mozilla Thunderbird to version 52.1 or higher, and Mozilla Firefox to version 53 or higher.
Which products are affected by CVE-2017-5454?
CVE-2017-5454 affects Mozilla Thunderbird versions prior to 52.1, Mozilla Firefox ESR prior to 52.1, and Mozilla Firefox versions prior to 53.
Can CVE-2017-5454 allow access to sensitive files?
Yes, CVE-2017-5454 enables read-only access to the local file system, which can expose sensitive files if exploited.
Is CVE-2017-5454 related to file picker functionality?
Yes, CVE-2017-5454 specifically allows for bypassing file system protections in the sandbox related to the file picker.
- collector/mozilla-advisory
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-5454
- agent/author
- agent/weakness
- agent/remedy
- agent/severity
- source/Mozilla
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/event
- agent/last-modified-date
- agent/trending
- collector/security-tracker-debian
- source/Debian
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- agent/softwarecombine
- vendor/mozilla
- canonical/mozilla thunderbird
- canonical/mozilla firefox esr
- canonical/mozilla firefox
- package-manager/debian
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/6.0
- version/red hat enterprise linux/7.0
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux desktop/7.0
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/6.0
- version/red hat enterprise linux server/7.0
- version/red hat enterprise linux server/7.3
- version/red hat enterprise linux server/7.4
- version/red hat enterprise linux server/7.5
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux workstation/7.0