CVE-2017-5180

Published: Feb 9, 2017Modified: May 13, 2026

8.8

Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitability: 2.0 / Impact: 6.0

Source: NVD

Description

Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option.

Affected (2)

Products: Firejail Project: Firejail

Firejail Project

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Firejail Project Firejail	Before 0.9.44.4
Firejail Project Firejail	From 0.9.38 to 0.9.38.8

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (8)

http://openwall.com/lists/oss-security/2017/01/04/2

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://www.securityfocus.com/bid/95298

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://firejail.wordpress.com/download-2/release-notes/

Source: cve@mitre.org

Release NotesVendor Advisory

https://security.gentoo.org/glsa/201701-62

Source: cve@mitre.org

Third Party Advisory

http://openwall.com/lists/oss-security/2017/01/04/2

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://www.securityfocus.com/bid/95298

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://firejail.wordpress.com/download-2/release-notes/

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://security.gentoo.org/glsa/201701-62

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.