Lucene search

K

[email protected]NVD:CVE-2018-18505

HistoryFeb 05, 2019 - 9:29 p.m.

CVE-2018-18505

2019-02-0521:29:00

CWE-287

[email protected]

web.nvd.nist.gov

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.011 Low

EPSS

Percentile

84.7%

An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added authentication to communication between IPC endpoints and server parents during IPC process creation. This authentication is insufficient for channels created after the IPC process is started, leading to the authentication not being correctly applied to later channels. This could allow for a sandbox escape through IPC channels due to lack of message validation in the listener process. This vulnerability affects Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox < 65.

Affected configurations

NVD

Node

mozillafirefoxRange<65.0

OR

mozillafirefox_esrRange<60.5.0

OR

mozillathunderbirdRange<60.5.0

Node

canonicalubuntu_linuxMatch14.04lts

OR

canonicalubuntu_linuxMatch16.04lts

OR

canonicalubuntu_linuxMatch18.04lts

OR

canonicalubuntu_linuxMatch18.10

Node

debiandebian_linuxMatch8.0

OR

debiandebian_linuxMatch9.0

Node

redhatenterprise_linux_desktopMatch6.0

OR

redhatenterprise_linux_desktopMatch7.0

OR

redhatenterprise_linux_serverMatch6.0

OR

redhatenterprise_linux_serverMatch7.0

OR

redhatenterprise_linux_server_ausMatch7.6

OR

redhatenterprise_linux_server_eusMatch7.6

OR

redhatenterprise_linux_server_tusMatch7.6

OR

redhatenterprise_linux_workstationMatch6.0

OR

redhatenterprise_linux_workstationMatch7.0

References

lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html

www.securityfocus.com/bid/106781

access.redhat.com/errata/RHSA-2019:0218

access.redhat.com/errata/RHSA-2019:0219

access.redhat.com/errata/RHSA-2019:0269

access.redhat.com/errata/RHSA-2019:0270

bugzilla.mozilla.org/show_bug.cgi?id=1087565

lists.debian.org/debian-lts-announce/2019/01/msg00025.html

lists.debian.org/debian-lts-announce/2019/02/msg00024.html

security.gentoo.org/glsa/201903-04

security.gentoo.org/glsa/201904-07

usn.ubuntu.com/3874-1/

usn.ubuntu.com/3897-1/

www.debian.org/security/2019/dsa-4376

www.debian.org/security/2019/dsa-4392

www.mozilla.org/security/advisories/mfsa2019-01/

www.mozilla.org/security/advisories/mfsa2019-02/

www.mozilla.org/security/advisories/mfsa2019-03/

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.011 Low

EPSS

Percentile

84.7%