CVE-2018-12367 — MEDIUM (4.3)

Q: How severe is CVE-2018-12367?

CVE-2018-12367 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-12367?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Canonical Ubuntu Linux, Mozilla Firefox, Mozilla Thunderbird.

Vulnerability Description

In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals. In that work PerformanceNavigationTiming was not adjusted but it was found that it could be used as a precision timer. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, and Firefox < 61.

CVSS Score

4.3

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Debian	Debian Linux	8.0
Canonical	Ubuntu Linux	14.04
Mozilla	Firefox	< 60.1.0
Mozilla	Thunderbird	< 60.0

Related Weaknesses (CWE)

CWE-20

References

http://www.securityfocus.com/bid/104561Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1041193Third Party AdvisoryVDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1462891Issue TrackingPermissions RequiredVendor Advisory
https://lists.debian.org/debian-lts-announce/2018/11/msg00011.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/201810-01Third Party Advisory
https://security.gentoo.org/glsa/201811-13Third Party Advisory
https://usn.ubuntu.com/3705-1/Third Party Advisory
https://www.debian.org/security/2018/dsa-4295Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2018-15/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-16/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-19/Vendor Advisory
http://www.securityfocus.com/bid/104561Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1041193Third Party AdvisoryVDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1462891Issue TrackingPermissions RequiredVendor Advisory
https://lists.debian.org/debian-lts-announce/2018/11/msg00011.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2018-12367?

CVE-2018-12367 is a vulnerability with a CVSS score of 4.3 (MEDIUM). In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals. In that work PerformanceNavigationTimin...

How severe is CVE-2018-12367?

CVE-2018-12367 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-12367?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Canonical Ubuntu Linux, Mozilla Firefox, Mozilla Thunderbird.