CVE-2017-5448 — HIGH (8.6) — White Hats Nepal

Q: How severe is CVE-2017-5448?

CVE-2017-5448 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-5448?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Redhat Enterprise Linux, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Aus.

Vulnerability Description

An out-of-bounds write in "ClearKeyDecryptor" while decrypting some Clearkey-encrypted media content. The "ClearKeyDecryptor" code runs within the Gecko Media Plugin (GMP) sandbox. If a second mechanism is found to escape the sandbox, this vulnerability allows for the writing of arbitrary data within memory, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.

CVSS Score

8.6

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

HIGH

Affected Products

Vendor	Product	Versions
Debian	Debian Linux	7.0
Redhat	Enterprise Linux	6.0
Redhat	Enterprise Linux Desktop	6.0
Redhat	Enterprise Linux Server	6.0
Redhat	Enterprise Linux Server Aus	7.3
Redhat	Enterprise Linux Server Eus	7.3
Redhat	Enterprise Linux Workstation	6.0
Mozilla	Firefox	< 45.9.0

Related Weaknesses (CWE)

CWE-787

References

http://www.securityfocus.com/bid/97940Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1038320Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2017:1104Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1106Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1346648Issue TrackingVendor Advisory
https://www.debian.org/security/2017/dsa-3831Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2017-10/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-11/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-12/Vendor Advisory
http://www.securityfocus.com/bid/97940Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1038320Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2017:1104Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1106Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1346648Issue TrackingVendor Advisory
https://www.debian.org/security/2017/dsa-3831Third Party Advisory

FAQ

What is CVE-2017-5448?

CVE-2017-5448 is a vulnerability with a CVSS score of 8.6 (HIGH). An out-of-bounds write in "ClearKeyDecryptor" while decrypting some Clearkey-encrypted media content. The "ClearKeyDecryptor" code runs within the Gecko Media Plugin (GMP) sandbox. If a second mechani...

How severe is CVE-2017-5448?

CVE-2017-5448 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-5448?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Redhat Enterprise Linux, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Aus.