High severity8.8NVD Advisory· Published Feb 9, 2017· Updated May 13, 2026

CVE-2017-5180

Description

Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option.

Affected products

Firejail Project/Firejail2 versions
cpe:2.3:a:firejail_project:firejail:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:firejail_project:firejail:*:*:*:*:-:*:*:*range: <0.9.44.4
- cpe:2.3:a:firejail_project:firejail:*:*:*:*:lts:*:*:*range: >=0.9.38,<0.9.38.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

openwall.com/lists/oss-security/2017/01/04/2nvdMailing ListThird Party Advisory
www.securityfocus.com/bid/95298nvdThird Party AdvisoryVDB Entry
firejail.wordpress.com/download-2/release-notes/nvdRelease NotesVendor Advisory
security.gentoo.org/glsa/201701-62nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000