Homepage

Improper Privilege Management Affecting firejail package, versions <0.9.44.6-1

Severity

 Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.04% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Privilege Management vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN10-FIREJAIL-319240
  • published9 Feb 2017
  • disclosed9 Feb 2017
Report a new vulnerability Found a mistake?

Introduced: 9 Feb 2017

CVE-2017-5940  (opens in a new tab)
CWE-269  (opens in a new tab)

How to fix?

Upgrade Debian:10 firejail to version 0.9.44.6-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream firejail package and not the firejail package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

Firejail before 0.9.44.6 and 0.9.38.x LTS before 0.9.38.10 LTS does not comprehensively address dotfile cases during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-5180.