ID CVE-2018-12393
Summary A potential vulnerability was found in 32-bit builds where an integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for the conversion. This leads to a possible out-of-bounds write. *Note: 64-bit builds are not vulnerable to this issue.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3.
References
Vulnerable Configurations
  • cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:x86:*
    cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:x86:*
  • cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:x86:*
    cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:x86:*
  • cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:x86:*
    cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 01-03-2019 - 17:27)
Impact:
Exploitability:
CWE CWE-787
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
advisories
  • bugzilla
    id 1642183
    title CVE-2018-12393 Mozilla: Integer overflow during Unicode conversion while loading JavaScript
    oval
    AND
    • comment thunderbird is earlier than 0:60.3.0-1.el6
      oval oval:com.redhat.rhsa:tst:20183531005
    • comment thunderbird is signed with Red Hat redhatrelease2 key
      oval oval:com.redhat.rhsa:tst:20100896006
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    rhsa
    id RHSA-2018:3531
    released 2018-11-08
    severity Important
    title RHSA-2018:3531: thunderbird security update (Important)
  • bugzilla
    id 1642183
    title CVE-2018-12393 Mozilla: Integer overflow during Unicode conversion while loading JavaScript
    oval
    AND
    • comment thunderbird is earlier than 0:60.3.0-1.el7_5
      oval oval:com.redhat.rhsa:tst:20183532005
    • comment thunderbird is signed with Red Hat redhatrelease2 key
      oval oval:com.redhat.rhsa:tst:20100896006
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    rhsa
    id RHSA-2018:3532
    released 2018-11-08
    severity Important
    title RHSA-2018:3532: thunderbird security update (Important)
  • rhsa
    id RHSA-2018:3005
  • rhsa
    id RHSA-2018:3006
rpms
  • firefox-0:60.3.0-1.el7_5
  • firefox-0:60.3.0-1.el6
  • thunderbird-0:60.3.0-1.el6
  • thunderbird-0:60.3.0-1.el7_5
refmap via4
bid
  • 105718
  • 105769
confirm
debian
  • DSA-4324
  • DSA-4337
gentoo
  • GLSA-201811-04
  • GLSA-201811-13
mlist
  • [debian-lts-announce] 20181107 [SECURITY] [DLA 1571-1] firefox-esr security update
  • [debian-lts-announce] 20181112 [SECURITY] [DLA 1575-1] thunderbird security update
sectrack 1041944
ubuntu
  • USN-3801-1
  • USN-3868-1
Last major update 01-03-2019 - 17:27
Published 28-02-2019 - 18:29
Back to Top