Vulnerability CVE-2018-12383: Information

Description

If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1.

Severity: MEDIUM (5.5) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2018-12383

Published: Oct. 18, 2018

Modified: Oct. 3, 2019

Error type identifier: CWE-522

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
firefox	sisyphus	62.0.3-alt1	127.0-alt1	ALT-PU-2018-2423-1	214118	Fixed
firefox	p10	62.0.3-alt1	118.0.2-alt0.p10.1	ALT-PU-2018-2423-1	214118	Fixed
firefox	p9	62.0.3-alt1	105.0.1-alt0.c9.1	ALT-PU-2018-2423-1	214118	Fixed
firefox	p8	62.0.3-alt0.M80P.1	68.0.1-alt0.M80P.1	ALT-PU-2018-2479-1	214248	Fixed
firefox	c10f1	62.0.3-alt1	112.0.2-alt0.p10.1	ALT-PU-2018-2423-1	214118	Fixed
firefox	c9f2	62.0.3-alt1	105.0.1-alt0.c9.1	ALT-PU-2018-2423-1	214118	Fixed
firefox	c7	60.6.1-alt0.M70C.1	60.8.0-alt0.M70C.1	ALT-PU-2019-1726-1	218597	Fixed
firefox	p11	62.0.3-alt1	126.0.1-alt1	ALT-PU-2018-2423-1	214118	Fixed
firefox-esr	sisyphus	60.2.1-alt1	115.11.0-alt1	ALT-PU-2018-2388-1	213542	Fixed
firefox-esr	p10	60.2.1-alt1	115.11.0-alt1	ALT-PU-2018-2388-1	213542	Fixed
firefox-esr	p9	68.0.2-alt1	102.11.0-alt0.c9.1	ALT-PU-2019-2486-1	235108	Fixed
firefox-esr	p8	60.2.1-alt0.M80P.1	68.4.1-alt0.M80P.1	ALT-PU-2018-2395-1	213645	Fixed
firefox-esr	c10f1	60.2.1-alt1	115.9.1-alt0.c10.1	ALT-PU-2018-2388-1	213542	Fixed
firefox-esr	c9f2	68.0.2-alt1	102.12.0-alt0.c9.1	ALT-PU-2019-2486-1	235108	Fixed
firefox-esr	p11	60.2.1-alt1	115.11.0-alt1	ALT-PU-2018-2388-1	213542	Fixed
thunderbird	sisyphus	60.3.0-alt1	115.9.0-alt1	ALT-PU-2018-2669-1	210777	Fixed
thunderbird	p10	60.3.0-alt1	115.9.0-alt1	ALT-PU-2018-2669-1	210777	Fixed
thunderbird	p9	60.3.0-alt1	102.11.0-alt0.c9.1	ALT-PU-2018-2669-1	210777	Fixed
thunderbird	p8	60.7.2-alt0.M80P.1	60.8.0-alt0.M80P.1	ALT-PU-2019-2196-1	216874	Fixed
thunderbird	c10f1	60.3.0-alt1	115.9.0-alt0.c10.1	ALT-PU-2018-2669-1	210777	Fixed
thunderbird	c9f2	60.3.0-alt1	102.11.0-alt0.c9.1	ALT-PU-2018-2669-1	210777	Fixed
thunderbird	c7	60.8.0-alt0.M70C.1	60.8.0-alt0.M70C.1	ALT-PU-2019-2345-1	234994	Fixed
thunderbird	p11	60.3.0-alt1	115.9.0-alt1	ALT-PU-2018-2669-1	210777	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://www.mozilla.org/security/advisories/mfsa2018-25/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-23/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-20/	Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1475775	Exploit Issue Tracking Vendor Advisory
DSA-4304	Third Party Advisory
USN-3793-1	Third Party Advisory
USN-3761-1	Third Party Advisory
RHSA-2018:2835	Third Party Advisory
RHSA-2018:2834	Third Party Advisory
1041701	Third Party Advisory VDB Entry
1041610	Third Party Advisory VDB Entry
105276	Third Party Advisory VDB Entry
GLSA-201810-01	Third Party Advisory
DSA-4327	Third Party Advisory
RHSA-2018:3403	Third Party Advisory
RHSA-2018:3458	Third Party Advisory
[debian-lts-announce] 20181112 [SECURITY] [DLA 1575-1] thunderbird security update	Mailing List Third Party Advisory
GLSA-201811-13	Third Party Advisory

Affected configurations:
1. Configuration 1
  cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
  
  Configuration 2
  cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  
  Configuration 4
  cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
  End excliding
  62.0
  cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
  End excliding
  60.2.1
  cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
  End excliding
  60.2.1

Version: v24.5.3

Vulnerability CVE-2018-12383: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4