A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered. This vulnerability affects Firefox ESR < 60.2.2 and Firefox < 62.0.3.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-12386 from the MITRE CVE dictionary dictionary and NIST NVD.
| CVSS3 Base Score | 8.8 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 7 (firefox) | RHSA-2018:2884 | 2018-10-08 |
| Red Hat Enterprise Linux 6 (firefox) | RHSA-2018:2881 | 2018-10-08 |
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | thunderbird | Not affected |
| Red Hat Enterprise Linux 6 | thunderbird | Not affected |
Vulmon