CVE-2017-5383
Published: 25 January 2017
URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.
Priority
Status
Package | Release | Status |
---|---|---|
firefox Launchpad, Ubuntu, Debian |
upstream |
Released
(51)
|
precise |
Released
(51.0.1+build2-0ubuntu0.12.04.1)
|
|
xenial |
Released
(51.0.1+build2-0ubuntu0.16.04.1)
|
|
yakkety |
Released
(51.0.1+build2-0ubuntu0.16.10.1)
|
|
zesty |
Released
(52.0.1+build2-0ubuntu1)
|
|
trusty |
Released
(51.0.1+build2-0ubuntu0.14.04.1)
|
|
thunderbird Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
precise |
Released
(1:45.7.0+build1-0ubuntu0.12.04.1)
|
|
xenial |
Released
(1:45.7.0+build1-0ubuntu0.16.04.1)
|
|
yakkety |
Released
(1:45.7.0+build1-0ubuntu0.16.10.1)
|
|
zesty |
Released
(1:45.7.0+build1-0ubuntu1)
|
|
trusty |
Released
(1:45.7.0+build1-0ubuntu0.14.04.1)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.3 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5383
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5383
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5383
- https://ubuntu.com/security/notices/USN-3175-1
- https://ubuntu.com/security/notices/USN-3165-1
- NVD
- Launchpad
- Debian