CVE-2017-5384 — MEDIUM (5.9)

Q: How severe is CVE-2017-5384?

CVE-2017-5384 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-5384?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox.

Vulnerability Description

Proxy Auto-Config (PAC) files can specify a JavaScript function called for all URL requests with the full URL path which exposes more information than would be sent to the proxy itself in the case of HTTPS. Normally the Proxy Auto-Config file is specified by the user or machine owner and presumed to be non-malicious, but if a user has enabled Web Proxy Auto Detect (WPAD) this file can be served remotely. This vulnerability affects Firefox < 51.

CVSS Score

5.9

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Mozilla	Firefox	< 51.0

Related Weaknesses (CWE)

CWE-200

References

http://www.securityfocus.com/bid/95763Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1037693Third Party AdvisoryVDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1255474Issue TrackingPatchVendor Advisory
https://www.contextis.com//resources/blog/leaking-https-urls-20-year-old-vulneraExploitTechnical DescriptionThird Party Advisory
https://www.mozilla.org/security/advisories/mfsa2017-01/Vendor Advisory
http://www.securityfocus.com/bid/95763Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1037693Third Party AdvisoryVDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1255474Issue TrackingPatchVendor Advisory
https://www.contextis.com//resources/blog/leaking-https-urls-20-year-old-vulneraExploitTechnical DescriptionThird Party Advisory
https://www.mozilla.org/security/advisories/mfsa2017-01/Vendor Advisory

FAQ

What is CVE-2017-5384?

CVE-2017-5384 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Proxy Auto-Config (PAC) files can specify a JavaScript function called for all URL requests with the full URL path which exposes more information than would be sent to the proxy itself in the case of ...

How severe is CVE-2017-5384?

CVE-2017-5384 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-5384?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox.