Vulnerability Details : CVE-2017-5427
A non-existent chrome.manifest file will attempt to be loaded during startup from the primary installation directory. If a malicious user with local access puts chrome.manifest and other referenced files in this directory, they will be loaded and activated during startup. This could result in malicious software being added without consent or modification of referenced installed files. This vulnerability affects Firefox < 52.
Exploit prediction scoring system (EPSS) score for CVE-2017-5427
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-5427
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
1.9
|
LOW | AV:L/AC:M/Au:N/C:N/I:P/A:N |
3.4
|
2.9
|
NIST |
5.5
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2017-5427
-
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-5427
-
https://www.mozilla.org/security/advisories/mfsa2017-05/
Security vulnerabilities fixed in Firefox 52 — MozillaVendor Advisory
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1295542
1295542 - (CVE-2017-5427) Firefox tries to read a non existent chrome.manifest from install directory.Issue Tracking;Patch;Vendor Advisory
-
http://www.securitytracker.com/id/1037966
Mozilla Firefox Multiple Bugs Let Remote Users Bypass Security Restrictions, Spoof URLs, Obtain Potentially Sensitive Information, Deny Service, and Execute Arbitrary Code - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/96692
Mozilla Firefox MFSA 2017-05 Multiple Security VulnerabilitiesVDB Entry;Third Party Advisory
Products affected by CVE-2017-5427
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*