Vulnerability Description
A use-after-free vulnerability can occur during XSL transformations when the source document for the transformation is manipulated by script content during the transformation. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 7.0 |
| Redhat | Enterprise Linux Desktop | 6.0 |
| Redhat | Enterprise Linux Server | 6.0 |
| Redhat | Enterprise Linux Server Aus | 7.4 |
| Redhat | Enterprise Linux Server Eus | 7.4 |
| Redhat | Enterprise Linux Workstation | 6.0 |
| Mozilla | Firefox | < 58.0 |
| Mozilla | Thunderbird | < 52.6.0 |
| Canonical | Ubuntu Linux | 14.04 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/102783Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1040270Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2018:0122Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0262Third Party Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1387427Issue TrackingPermissions RequiredThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2018/01/msg00030.htmlThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2018/01/msg00036.htmlThird Party Advisory
- https://usn.ubuntu.com/3544-1/Third Party Advisory
- https://www.debian.org/security/2018/dsa-4096Third Party Advisory
- https://www.debian.org/security/2018/dsa-4102Third Party Advisory
- https://www.mozilla.org/security/advisories/mfsa2018-02/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2018-03/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2018-04/Vendor Advisory
- http://www.securityfocus.com/bid/102783Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1040270Third Party AdvisoryVDB Entry
FAQ
What is CVE-2018-5097?
CVE-2018-5097 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A use-after-free vulnerability can occur during XSL transformations when the source document for the transformation is manipulated by script content during the transformation. This results in a potent...
How severe is CVE-2018-5097?
CVE-2018-5097 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-5097?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Aus, Redhat Enterprise Linux Server Eus.