CVE-2018-12385

Sažetak

A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerability allowing an attacker to write data into the local cache or from locally installed malware. This issue also triggers a non-exploitable startup crash for users switching between the Nightly and Release versions of Firefox if the same profile is used. This vulnerability affects Thunderbird < 60.2.1, Firefox ESR < 60.2.1, and Firefox < 62.0.2.

Reference

http://www.securityfocus.com/bid/105380
http://www.securitytracker.com/id/1041700
http://www.securitytracker.com/id/1041701
https://access.redhat.com/errata/RHSA-2018:2834
https://access.redhat.com/errata/RHSA-2018:2835
https://access.redhat.com/errata/RHSA-2018:3403
https://access.redhat.com/errata/RHSA-2018:3458
https://bugzilla.mozilla.org/show_bug.cgi?id=1490585
https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html
https://security.gentoo.org/glsa/201810-01
https://security.gentoo.org/glsa/201811-13
https://usn.ubuntu.com/3778-1/
https://usn.ubuntu.com/3793-1/
https://www.debian.org/security/2018/dsa-4304
https://www.debian.org/security/2018/dsa-4327
https://www.mozilla.org/security/advisories/mfsa2018-22/
https://www.mozilla.org/security/advisories/mfsa2018-23/
https://www.mozilla.org/security/advisories/mfsa2018-25/

CVSS

Base:	4.4
Impact:	6.4
Exploitability:	3.4

Pristup

Vektor	Složenost	Autentikacija
LOCAL	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:L/AC:M/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

06-12-2018 - 19:03

Objavljeno

18-10-2018 - 13:29