CVE-2017-5180

Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option.

Published: Feb 9, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-5180
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v2:

Severity: Low
Score: 4.6
AV:L/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-862

Affected Software
References

Software	From	Fixed in
firejail_project / firejail	-	0.9.44.4
firejail_project / firejail	0.9.38	0.9.38.8

http://openwall.com/lists/oss-security/2017/01/04/2
http://www.securityfocus.com/bid/95298
https://firejail.wordpress.com/download-2/release-notes/
https://security.gentoo.org/glsa/201701-62

Vulnerability Database

290,278

CVE-2017-5180