CVE-2018-18500
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
05/02/2019
Last modified:
02/04/2019
Description
A use-after-free vulnerability can occur while parsing an HTML5 stream in concert with custom HTML elements. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash. This vulnerability affects Thunderbird
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* | 65.0 (excluding) | |
| cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:* | 60.5 (excluding) | |
| cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* | 60.5 (excluding) | |
| cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:* | ||
| cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html
- http://www.securityfocus.com/bid/106781
- https://access.redhat.com/errata/RHSA-2019:0218
- https://access.redhat.com/errata/RHSA-2019:0219
- https://access.redhat.com/errata/RHSA-2019:0269
- https://access.redhat.com/errata/RHSA-2019:0270
- https://lists.debian.org/debian-lts-announce/2019/01/msg00025.html
- https://lists.debian.org/debian-lts-announce/2019/02/msg00024.html
- https://security.gentoo.org/glsa/201903-04
- https://security.gentoo.org/glsa/201904-07
- https://usn.ubuntu.com/3874-1/
- https://usn.ubuntu.com/3897-1/
- https://www.debian.org/security/2019/dsa-4376
- https://www.debian.org/security/2019/dsa-4392
- https://www.mozilla.org/security/advisories/mfsa2019-01/
- https://www.mozilla.org/security/advisories/mfsa2019-02/
- https://www.mozilla.org/security/advisories/mfsa2019-03/