ГлавнаяУязвимости → CVE-2025-2817
8.8высокая

CVE-2025-2817

Описание

Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Firefox ESR 115.23, Thunderbird 138, and Thunderbird 128.10.

Затрагиваемое ПО
Mozilla FirefoxMozilla Thunderbird
CVSS
Балл8.8 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Источники
https://bugzilla.mozilla.org/show_bug.cgi?id=1917536https://www.mozilla.org/security/advisories/mfsa2025-28/https://www.mozilla.org/security/advisories/mfsa2025-29/https://www.mozilla.org/security/advisories/mfsa2025-30/https://www.mozilla.org/security/advisories/mfsa2025-31/https://www.mozilla.org/security/advisories/mfsa2025-32/https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html