CVE-2018-12383
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-12383 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
Upstream decided to not fix this issue in Firefox ESR 60.2 given the low impact. A future ESR update may correct this flaw.
This flaw would impact users who had saved passwords from Firefox 58 or earlier that were not protected by a master password (resulting in an un-encrypted key3.db), but set a master password when using Firefox 59 or newer (resulting in an encrypted key4.db). The old key file was kept around to facilitate downgrading to Firefox 58.
This flaw cannot be exploited through email in Thunderbird as scripting is disabled in this for email content. It may be possible to exploit through Feeds (Atom or RSS) or other browser-like contexts.
CVSS v3 metrics
| CVSS3 Base Score | 5.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | None |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 7 (firefox) | RHSA-2018:2835 | 2018-09-27 |
| Red Hat Enterprise Linux 6 (firefox) | RHSA-2018:2834 | 2018-09-27 |
| Red Hat Enterprise Linux 6 (thunderbird) | RHSA-2018:3403 | 2018-10-30 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | thunderbird | Affected |
Acknowledgements
Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Jurgen Gaeremyn as the original reporter.Mitigation
To mitigate against this flaw, examine user profile directories for the presence of both `key3.db` and `key4.db` files. If both are present, `key3.db` should be deleted.
External References
CVE description copyright © 2017, The MITRE Corporation