Vulnerability Details : CVE-2018-12365
A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
Vulnerability category: Information leak
Exploit prediction scoring system (EPSS) score for CVE-2018-12365
Probability of exploitation activity in the next 30 days: 0.22%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 59 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2018-12365
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
[email protected] |
|
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
[email protected] |
CWE ids for CVE-2018-12365
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: [email protected] (Primary)
References for CVE-2018-12365
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1459206
Issue Tracking;Permissions Required;Vendor Advisory
-
http://www.securitytracker.com/id/1041193
Third Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2018:2113
Third Party Advisory
-
https://security.gentoo.org/glsa/201811-13
Third Party Advisory
-
https://www.mozilla.org/security/advisories/mfsa2018-17/
Vendor Advisory
-
http://www.securityfocus.com/bid/104560
Third Party Advisory;VDB Entry
-
https://lists.debian.org/debian-lts-announce/2018/06/msg00014.html
Mailing List;Third Party Advisory
-
https://www.debian.org/security/2018/dsa-4235
Third Party Advisory
-
https://security.gentoo.org/glsa/201810-01
Third Party Advisory
-
https://www.debian.org/security/2018/dsa-4244
Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/07/msg00013.html
Mailing List;Third Party Advisory
-
https://www.mozilla.org/security/advisories/mfsa2018-15/
Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:2251
Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:2252
Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:2112
Third Party Advisory
-
https://www.mozilla.org/security/advisories/mfsa2018-19/
Vendor Advisory
-
https://www.mozilla.org/security/advisories/mfsa2018-18/
Vendor Advisory
-
https://usn.ubuntu.com/3714-1/
Third Party Advisory
-
https://usn.ubuntu.com/3705-1/
Third Party Advisory
-
https://www.mozilla.org/security/advisories/mfsa2018-16/
Vendor Advisory
Products affected by CVE-2018-12365
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*