Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

CVE-2018-12383

Related Vulnerabilities: CVE-2018-12383  

If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1.

Source

The MITRE CVE dictionary describes this issue as:

If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1.

Find out more about CVE-2018-12383 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Upstream decided to not fix this issue in Firefox ESR 60.2 given the low impact. A future ESR update may correct this flaw.

This flaw would impact users who had saved passwords from Firefox 58 or earlier that were not protected by a master password (resulting in an un-encrypted key3.db), but set a master password when using Firefox 59 or newer (resulting in an encrypted key4.db). The old key file was kept around to facilitate downgrading to Firefox 58.

This flaw cannot be exploited through email in Thunderbird as scripting is disabled in this for email content. It may be possible to exploit through Feeds (Atom or RSS) or other browser-like contexts.

CVSS v3 metrics

CVSS3 Base Score 5.5
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact None
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 (thunderbird) RHSA-2018:3458 2018-11-05
Red Hat Enterprise Linux 7 (firefox) RHSA-2018:2835 2018-09-27
Red Hat Enterprise Linux 6 (firefox) RHSA-2018:2834 2018-09-27
Red Hat Enterprise Linux 6 (thunderbird) RHSA-2018:3403 2018-10-30

Acknowledgements

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Jurgen Gaeremyn as the original reporter.

Mitigation

To mitigate against this flaw, examine user profile directories for the presence of both `key3.db` and `key4.db` files. If both are present, `key3.db` should be deleted.

External References

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook
Vulmon Logo
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started