Vulnerability Details : CVE-2018-5130
When packets with a mismatched RTP payload type are sent in WebRTC connections, in some circumstances a potentially exploitable crash is triggered. This vulnerability affects Firefox ESR < 52.7 and Firefox < 59.
Vulnerability category: Input validation
Products affected by CVE-2018-5130
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-5130
0.41%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-5130
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2018-5130
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-5130
-
https://usn.ubuntu.com/3596-1/
USN-3596-1: Firefox vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.securitytracker.com/id/1040514
Mozilla Firefox Multiple Bugs Let Remote Users Spoof URLs, Bypass Security Restrictions, Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code - SecurityTrackerThird Party Advisory;VDB Entry
-
https://www.mozilla.org/security/advisories/mfsa2018-06/
Security vulnerabilities fixed in Firefox 59 — MozillaVendor Advisory
-
https://lists.debian.org/debian-lts-announce/2018/03/msg00010.html
[SECURITY] [DLA 1308-1] firefox-esr security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0526
RHSA-2018:0526 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0527
RHSA-2018:0527 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.gentoo.org/glsa/201810-01
Mozilla Firefox: Multiple vulnerabilities (GLSA 201810-01) — Gentoo securityThird Party Advisory
-
http://www.securityfocus.com/bid/103388
Mozilla Firefox and Firefox ESR Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
-
https://www.mozilla.org/security/advisories/mfsa2018-07/
Security vulnerabilities fixed in Firefox ESR 52.7 — MozillaVendor Advisory
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1433005
1433005 - (CVE-2018-5130) Crash when WebRTC RTP payload type is incorrectIssue Tracking;Permissions Required
-
https://www.debian.org/security/2018/dsa-4139
Debian -- Security Information -- DSA-4139-1 firefox-esrThird Party Advisory
Jump to