UBUNTU-CVE-2017-5180

See a problem?

Source

https://ubuntu.com/security/CVE-2017-5180

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-5180.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2017-5180

Related

CVE-2017-5180

Published

2017-02-09T18:59:00Z

Modified

2017-02-09T18:59:00Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option.

References

Affected packages

Ubuntu:16.04:LTS / firejail

Package

Name: firejail
Purl: pkg:deb/ubuntu/firejail?arch=src?distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.38-1ubuntu0.1

Affected versions

0.*

0.9.28-1

0.9.32-1

0.9.34-1

0.9.36-1

0.9.38-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "0.9.38-1ubuntu0.1",
            "binary_name": "firejail"
        },
        {
            "binary_version": "0.9.38-1ubuntu0.1",
            "binary_name": "firejail-dbgsym"
        }
    ]
}