Lucene search

[email protected]NVD:CVE-2017-5940

HistoryFeb 09, 2017 - 6:59 p.m.

CVE-2017-5940

2017-02-0918:59:00

CWE-269

[email protected]

web.nvd.nist.gov

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.001

Percentile

26.8%

JSON

Firejail before 0.9.44.6 and 0.9.38.x LTS before 0.9.38.10 LTS does not comprehensively address dotfile cases during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-5180.

Affected configurations

Nvd

Node

firejail_projectfirejailRange0.9.38–0.9.38.10lts

firejail_projectfirejailRange0.9.40–0.9.44.6

VendorProductVersionCPE
firejail_projectfirejail*cpe:2.3:a:firejail_project:firejail:*:*:*:*:lts:*:*:*
firejail_projectfirejail*cpe:2.3:a:firejail_project:firejail:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
firejail_project	firejail	*	cpe:2.3:a:firejail_project:firejail:::::lts:::*
firejail_project	firejail	*	cpe:2.3:a:firejail_project:firejail::::::::