Firejail Project Firejail — known CVE vulnerabilities
Every CVE whose affected-product data names Firejail Project Firejail, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (18)
CVE-2020-17368 — CVSS 9.8 (critical): Firejail through 0.9.62 mishandles shell metacharacters during use of the --output or --output-stderr option, which may lead to command…
CVE-2017-5206 — CVSS 9.0 (critical): Firejail before 0.9.44.4, when running on a Linux kernel before 4.8, allows context-dependent attackers to bypass a seccomp-based sandbox…
CVE-2017-5940 — CVSS 8.8 (high): Firejail before 0.9.44.6 and 0.9.38.x LTS before 0.9.38.10 LTS does not comprehensively address dotfile cases during its attempt to prevent…
CVE-2017-5180 — CVSS 8.8 (high): Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent…
CVE-2016-9016 — CVSS 8.8 (high): Firejail 0.9.38.4 allows local users to execute arbitrary commands outside of the sandbox via a crafted TIOCSTI ioctl call.
CVE-2019-12589 — CVSS 8.8 (high): In Firejail before 0.9.60, seccomp filters are writable inside the jail, leading to a lack of intended seccomp restrictions for a process…
CVE-2019-12499 — CVSS 8.1 (high): Firejail before 0.9.60 allows truncation (resizing to length 0) of the firejail binary on the host by running exploit code inside a…
CVE-2020-17367 — CVSS 7.8 (high): Firejail through 0.9.62 does not honor the -- end-of-options indicator after the --output option, which may lead to command injection.
CVE-2022-31214 — CVSS 7.8 (high): A Privilege Context Switching issue was discovered in join.c in Firejail 0.9.68. By crafting a bogus Firejail container that is accepted by…
CVE-2016-10119 — CVSS 7.8 (high): Firejail uses 0777 permissions when mounting /tmp, which allows local users to gain privileges.
CVE-2016-10120 — CVSS 7.8 (high): Firejail uses 0777 permissions when mounting (1) /dev, (2) /dev/shm, (3) /var/tmp, or (4) /var/lock, which allows local users to gain…
CVE-2016-10121 — CVSS 7.8 (high): Firejail uses weak permissions for /dev/shm/firejail and possibly other files, which allows local users to gain privileges.
CVE-2016-10122 — CVSS 7.8 (high): Firejail does not properly clean environment variables, which allows local users to gain privileges.
CVE-2016-10123 — CVSS 7.8 (high): Firejail allows --chroot when seccomp is not supported, which might allow local users to gain privileges.
CVE-2017-5207 — CVSS 7.8 (high): Firejail before 0.9.44.4, when running a bandwidth command, allows local users to gain root privileges via the --shell argument.
CVE-2016-10117 — CVSS 7.8 (high): Firejail does not restrict access to --tmpfs, which allows local users to gain privileges, as demonstrated by mounting over /etc.
CVE-2021-26910 — CVSS 7.8 (high): Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat…