Vulnerability Description
The "pingsender" executable used by the Firefox Health Report dynamically loads a system copy of libcurl, which an attacker could replace. This allows for privilege escalation as the replaced libcurl code will run with Firefox's privileges. Note: This attack requires an attacker have local system access and only affects OS X and Linux. Windows systems are not affected. This vulnerability affects Firefox < 57.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | <= 56.0.2 |
| Apple | Mac Os X | All versions |
| Linux | Linux Kernel | All versions |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/101832Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1039803Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1401339Issue TrackingPermissions Required
- https://www.mozilla.org/security/advisories/mfsa2017-24/Vendor Advisory
- http://www.securityfocus.com/bid/101832Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1039803Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1401339Issue TrackingPermissions Required
- https://www.mozilla.org/security/advisories/mfsa2017-24/Vendor Advisory
FAQ
What is CVE-2017-7836?
CVE-2017-7836 is a vulnerability with a CVSS score of 7.8 (HIGH). The "pingsender" executable used by the Firefox Health Report dynamically loads a system copy of libcurl, which an attacker could replace. This allows for privilege escalation as the replaced libcurl ...
How severe is CVE-2017-7836?
CVE-2017-7836 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-7836?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Apple Mac Os X, Linux Linux Kernel.