9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.007 Low
EPSS
Percentile
80.5%
Severity: Critical
Date : 2018-08-10
CVE-ID : CVE-2018-5156 CVE-2018-5187 CVE-2018-12361 CVE-2018-12367
CVE-2018-12371
Package : thunderbird
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-751
The package thunderbird before version 60.0-1 is vulnerable to multiple
issues including arbitrary code execution and information disclosure.
Upgrade to 60.0-1.
The problems have been fixed upstream in version 60.0.
None.
A vulnerability can occur in Firefox before 61.0 and Thunderbird
before 60.0 when capturing a media stream when the media source type is
changed as the capture is occurring. This can result in stream data
being cast to the wrong type causing a potentially exploitable crash.
Several memory safety bugs have been found in Firefox before 61.0 and
Thunderbird before 60.0. Some of these bugs showed evidence of memory
corruption and Mozilla presumes that with enough effort some of these
could be exploited to run arbitrary code.
An integer overflow can occur in Firefox before 61.0 and Thunderbird
before 60.0 in the SwizzleData code while calculating buffer sizes. The
overflowed value is used for subsequent graphics computations when
their inputs are not sanitized which results in a potentially
exploitable crash.
A security issue has been found in Firefox before 61.0 and Thunderbird
before 60.0. In the previous mitigations for Spectre, the resolution or
precision of various methods was reduced to counteract the ability to
measure precise time intervals. In that work,
PerformanceNavigationTiming was not adjusted but it was found that it
could be used as a precision timer.
An integer overflow vulnerability has been found in the Skia library
shipped with Firefox before 61.0 and Thunderbird before 60.0, when
allocating memory for edge builders on some systems with at least 16 GB
of RAM. This results in the use of uninitialized memory, resulting in a
potentially exploitable crash.
A remote attacker is able to execute arbitrary code or gain information
about the Spectre mitigations.
https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-5156
https://bugzilla.mozilla.org/show_bug.cgi?id=1453127
https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-5187
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1461324%2C1414829%2C1395246%2C1467938%2C1461619%2C1425930%2C1438556%2C1454285%2C1459568%2C1463884
https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12361
https://bugzilla.mozilla.org/show_bug.cgi?id=1463244
https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12367
https://bugzilla.mozilla.org/show_bug.cgi?id=1462891
https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12371
https://bugzilla.mozilla.org/show_bug.cgi?id=1465686
https://security.archlinux.org/CVE-2018-5156
https://security.archlinux.org/CVE-2018-5187
https://security.archlinux.org/CVE-2018-12361
https://security.archlinux.org/CVE-2018-12367
https://security.archlinux.org/CVE-2018-12371
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | thunderbird | < 60.0-1 | UNKNOWN |
bugzilla.mozilla.org/buglist.cgi?bug_id=1461324%2C1414829%2C1395246%2C1467938%2C1461619%2C1425930%2C1438556%2C1454285%2C1459568%2C1463884
bugzilla.mozilla.org/show_bug.cgi?id=1453127
bugzilla.mozilla.org/show_bug.cgi?id=1462891
bugzilla.mozilla.org/show_bug.cgi?id=1463244
bugzilla.mozilla.org/show_bug.cgi?id=1465686
security.archlinux.org/AVG-751
security.archlinux.org/CVE-2018-12361
security.archlinux.org/CVE-2018-12367
security.archlinux.org/CVE-2018-12371
security.archlinux.org/CVE-2018-5156
security.archlinux.org/CVE-2018-5187
www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12361
www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12367
www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12371
www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-5156
www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-5187
www.mozilla.org/en-US/security/advisories/mfsa2018-19/
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.007 Low
EPSS
Percentile
80.5%