CVE-2018-12365
Published: 27 June 2018
A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
Priority
Status
Package | Release | Status |
---|---|---|
firefox Launchpad, Ubuntu, Debian |
artful |
Released
(61.0+build3-0ubuntu0.17.10.1)
|
bionic |
Released
(61.0+build3-0ubuntu0.18.04.1)
|
|
trusty |
Released
(61.0+build3-0ubuntu0.14.04.2)
|
|
upstream |
Released
(61.0)
|
|
xenial |
Released
(61.0+build3-0ubuntu0.16.04.2)
|
|
thunderbird Launchpad, Ubuntu, Debian |
artful |
Released
(1:52.9.1+build3-0ubuntu0.17.10.1)
|
bionic |
Released
(1:52.9.1+build3-0ubuntu0.18.04.1)
|
|
trusty |
Released
(1:52.9.1+build3-0ubuntu0.14.04.1)
|
|
upstream |
Released
(52.9.0)
|
|
xenial |
Released
(1:52.9.1+build3-0ubuntu0.16.04.1)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
References
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12365
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/#CVE-2018-12365
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/#CVE-2018-12365
- https://ubuntu.com/security/notices/USN-3705-1
- https://ubuntu.com/security/notices/USN-3714-1
- https://www.cve.org/CVERecord?id=CVE-2018-12365
- NVD
- Launchpad
- Debian