CVE-2017-5427 : A non-existent chrome.manifest file will attempt to be loaded during startup from the primary installation directory. If

A non-existent chrome.manifest file will attempt to be loaded during startup from the primary installation directory. If a malicious user with local access puts chrome.manifest and other referenced files in this directory, they will be loaded and activated during startup. This could result in malicious software being added without consent or modification of referenced installed files. This vulnerability affects Firefox < 52.

Published 2018-06-11 21:29:05

Updated 2018-08-07 18:06:07

Source Mozilla Corporation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2017-5427

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2017-5427

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
1.9	LOW	AV:L/AC:M/Au:N/C:N/I:P/A:N	3.4	2.9	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.5	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2017-5427

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-5427

https://www.mozilla.org/security/advisories/mfsa2017-05/

Security vulnerabilities fixed in Firefox 52 — Mozilla
Vendor Advisory

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=1295542

1295542 - (CVE-2017-5427) Firefox tries to read a non existent chrome.manifest from install directory.
Issue Tracking;Patch;Vendor Advisory
http://www.securitytracker.com/id/1037966

Mozilla Firefox Multiple Bugs Let Remote Users Bypass Security Restrictions, Spoof URLs, Obtain Potentially Sensitive Information, Deny Service, and Execute Arbitrary Code - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.securityfocus.com/bid/96692

Mozilla Firefox MFSA 2017-05 Multiple Security Vulnerabilities
VDB Entry;Third Party Advisory

CVEs referencing this url

Products affected by CVE-2017-5427

Mozilla » Firefox
Versions before (<) 52.0
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2017-5427

Exploit prediction scoring system (EPSS) score for CVE-2017-5427

CVSS scores for CVE-2017-5427

CWE ids for CVE-2017-5427

References for CVE-2017-5427

Products affected by CVE-2017-5427