CVE-2017-7764 — MEDIUM (5.3)

Q: How severe is CVE-2017-7764?

CVE-2017-7764 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-7764?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Thunderbird, Debian Debian Linux.

Vulnerability Description

Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.

CVSS Score

5.3

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Mozilla	Firefox	< 52.2.0
Mozilla	Thunderbird	< 52.2.0
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-20

References

http://www.securityfocus.com/bid/99057Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1038689Third Party AdvisoryVDB Entry
http://www.unicode.org/reports/tr31/tr31-26.html#Aspirational_Use_ScriptsThird Party Advisory
https://access.redhat.com/errata/RHSA-2017:1440Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1561Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1364283ExploitIssue TrackingVendor Advisory
https://www.debian.org/security/2017/dsa-3881Third Party Advisory
https://www.debian.org/security/2017/dsa-3918Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2017-15/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-16/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-17/Vendor Advisory
http://www.securityfocus.com/bid/99057Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1038689Third Party AdvisoryVDB Entry
http://www.unicode.org/reports/tr31/tr31-26.html#Aspirational_Use_ScriptsThird Party Advisory
https://access.redhat.com/errata/RHSA-2017:1440Third Party Advisory

FAQ

What is CVE-2017-7764?

CVE-2017-7764 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for dom...

How severe is CVE-2017-7764?

CVE-2017-7764 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-7764?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Thunderbird, Debian Debian Linux.