Lucene search

K

[email protected]NVD:CVE-2018-12385

HistoryOct 18, 2018 - 1:29 p.m.

CVE-2018-12385

2018-10-1813:29:06

CWE-20

[email protected]

web.nvd.nist.gov

1

4.4 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.3%

A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerability allowing an attacker to write data into the local cache or from locally installed malware. This issue also triggers a non-exploitable startup crash for users switching between the Nightly and Release versions of Firefox if the same profile is used. This vulnerability affects Thunderbird < 60.2.1, Firefox ESR < 60.2.1, and Firefox < 62.0.2.

Affected configurations

NVD

Node

redhatenterprise_linux_desktopMatch6.0

OR

redhatenterprise_linux_desktopMatch7.0

OR

redhatenterprise_linux_serverMatch6.0

OR

redhatenterprise_linux_serverMatch7.0

OR

redhatenterprise_linux_server_ausMatch7.6

OR

redhatenterprise_linux_server_eusMatch7.5

OR

redhatenterprise_linux_server_eusMatch7.6

OR

redhatenterprise_linux_server_tusMatch7.6

OR

redhatenterprise_linux_workstationMatch6.0

OR

redhatenterprise_linux_workstationMatch7.0

Node

debiandebian_linuxMatch8.0

OR

debiandebian_linuxMatch9.0

Node

canonicalubuntu_linuxMatch14.04lts

OR

canonicalubuntu_linuxMatch16.04lts

OR

canonicalubuntu_linuxMatch18.04lts

Node

mozillafirefoxRange<62.0.2

OR

mozillafirefox_esrRange<60.2.1

OR

mozillathunderbirdRange<60.2.1

References

www.securityfocus.com/bid/105380

www.securitytracker.com/id/1041700

www.securitytracker.com/id/1041701

access.redhat.com/errata/RHSA-2018:2834

access.redhat.com/errata/RHSA-2018:2835

access.redhat.com/errata/RHSA-2018:3403

access.redhat.com/errata/RHSA-2018:3458

bugzilla.mozilla.org/show_bug.cgi?id=1490585

lists.debian.org/debian-lts-announce/2018/11/msg00011.html

security.gentoo.org/glsa/201810-01

security.gentoo.org/glsa/201811-13

usn.ubuntu.com/3778-1/

usn.ubuntu.com/3793-1/

www.debian.org/security/2018/dsa-4304

www.debian.org/security/2018/dsa-4327

www.mozilla.org/security/advisories/mfsa2018-22/

www.mozilla.org/security/advisories/mfsa2018-23/

www.mozilla.org/security/advisories/mfsa2018-25/

4.4 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.3%

Related for NVD:CVE-2018-12385

veracode1 debiancve1 mozilla3 openvas23 ubuntucve1 ibm1 nessus42 prion1 redhatcve1 freebsd1 cve1 cvelist1 suse3 osv3 kaspersky2 redhat4 oraclelinux3 centos3 debian3 altlinux2 ubuntu2 archlinux1 mageia1 gentoo2