PT-2018-3014 · Mozilla+5 · Firefox Esr+7

Philipp

·

Published

2018-09-21

·

Updated

2024-12-12

·

CVE-2018-12385

CVSS v3.1

7.0

High

VectorAV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 60.2.1 Firefox ESR versions prior to 60.2.1 Firefox versions prior to 62.0.2
Description The issue is related to a potentially exploitable crash in TransportSecurityInfo used for SSL, which can be triggered by data stored in the local cache in the user profile directory. This problem is only exploitable in combination with another vulnerability that allows an attacker to write data into the local cache or from locally installed malware. Additionally, it can cause a non-exploitable startup crash for users switching between the Nightly and Release versions of Firefox if the same profile is used. The vulnerability is associated with insufficient input validation in the TransportSecurityInfo component.
Recommendations For Thunderbird versions prior to 60.2.1, update to version 60.2.1 or later. For Firefox ESR versions prior to 60.2.1, update to version 60.2.1 or later. For Firefox versions prior to 62.0.2, update to version 62.0.2 or later.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2018-2388
ALT-PU-2018-2423
ALT-PU-2018-2669
ALT-PU-2019-2324
ALT-PU-2019-2486
BDU:2019-03413
CESA-2018_2834
CESA-2018_2835
CESA-2018_3403
CVE-2018-12385
DLA-1575-1
DSA-4304-1
DSA-4327-1
MGASA-2018-0480
OPENSUSE-SU-2018:3687-1
OPENSUSE-SU-2018_2817-1
OPENSUSE-SU-2018_3051-1
OPENSUSE-SU-2024:10600-1
OPENSUSE-SU-2024:10601-1
OPENSUSE-SU-2024:14572-1
RHSA-2018:2834
RHSA-2018:2835
RHSA-2018:3403
RHSA-2018:3458
RHSA-2018_2834
RHSA-2018_2835
RHSA-2018_3403
RHSA-2018_3458
SUSE-SU-2018:3247-1
SUSE-SU-2018:3476-1
SUSE-SU-2018:3591-1
SUSE-SU-2018:3591-2
USN-3778-1
USN-3793-1

Affected Products

Alt Linux
Centos
Firefox
Firefox Esr
Red Hat
Suse
Thunderbird
Ubuntu