Security bypass in Mozilla Firefox
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-5400 |
| CWE-ID | CWE-265 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Mozilla Firefox Client/Desktop applications / Web browsers |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Security bypass
EUVDB-ID: #VU5921
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-5400
CWE-ID:
CWE-265 - Privilege / Sandbox Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security mechanisms.
The vulnerability exists due to an error within asm.js. A remote attacker can perform a JIT-spray technique combined with a heap spray and bypass implemented ASLR and DEP protections.
Successful exploitation of the vulnerability may allow an attacker to leverage exploitation of other remote code execution vulnerabilities.
MitigationUpdate to Firefox 52.
Vulnerable software versionsMozilla Firefox: 50.0 - 51.0.3
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:50.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:50.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:50.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
