CVE-2018-12393 — HIGH (7.5)

Q: How severe is CVE-2018-12393?

CVE-2018-12393 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-12393?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Firefox Esr, Mozilla Thunderbird, Debian Debian Linux, Canonical Ubuntu Linux.

Vulnerability Description

A potential vulnerability was found in 32-bit builds where an integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for the conversion. This leads to a possible out-of-bounds write. *Note: 64-bit builds are not vulnerable to this issue.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Mozilla	Firefox	< 63.0
Mozilla	Firefox Esr	< 60.3
Mozilla	Thunderbird	< 60.3
Debian	Debian Linux	8.0
Canonical	Ubuntu Linux	14.04
Redhat	Enterprise Linux Desktop	6.0
Redhat	Enterprise Linux Server	6.0
Redhat	Enterprise Linux Server Aus	7.6
Redhat	Enterprise Linux Server Eus	7.6
Redhat	Enterprise Linux Server Tus	7.6
Redhat	Enterprise Linux Workstation	6.0

Related Weaknesses (CWE)

CWE-190 CWE-787

References

http://www.securityfocus.com/bid/105718Third Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/105769Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1041944Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:3005Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3006Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3531Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3532Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1495011Issue TrackingPermissions RequiredVendor Advisory
https://lists.debian.org/debian-lts-announce/2018/11/msg00008.htmlThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/11/msg00011.htmlThird Party Advisory
https://security.gentoo.org/glsa/201811-04Third Party Advisory
https://security.gentoo.org/glsa/201811-13Third Party Advisory
https://usn.ubuntu.com/3801-1/Third Party Advisory
https://usn.ubuntu.com/3868-1/Third Party Advisory
https://www.debian.org/security/2018/dsa-4324Third Party Advisory

FAQ

What is CVE-2018-12393?

CVE-2018-12393 is a vulnerability with a CVSS score of 7.5 (HIGH). A potential vulnerability was found in 32-bit builds where an integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for t...

How severe is CVE-2018-12393?

CVE-2018-12393 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-12393?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Firefox Esr, Mozilla Thunderbird, Debian Debian Linux, Canonical Ubuntu Linux.