Home > Vulnerability Database > CVE-2018-18505

Mend.io Vulnerability Database

CVE-2018-18505

Date: February 5, 2019

An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added authentication to communication between IPC endpoints and server parents during IPC process creation. This authentication is insufficient for channels created after the IPC process is started, leading to the authentication not being correctly applied to later channels. This could allow for a sandbox escape through IPC channels due to lack of message validation in the listener process. This vulnerability affects Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox < 65.

Language: Unix

Severity Score

10.0

Related Resources (23)

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-18505

Url: http://www.securityfocus.com/bid/106781

Url: https://access.redhat.com/security/cve/CVE-2018-18505

Url: https://access.redhat.com/errata/RHSA-2019:0269

Url: https://lists.debian.org/debian-lts-announce/2019/01/msg00025.html

Url: https://www.mozilla.org/security/advisories/mfsa2019-01/

Url: http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html

Url: https://www.mozilla.org/security/advisories/mfsa2019-03/

Url: https://www.mozilla.org/security/advisories/mfsa2019-02/

Url: https://security.gentoo.org/glsa/201904-07

Url: https://security.gentoo.org/glsa/201903-04

Url: https://www.debian.org/security/2019/dsa-4392

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18505

Url: https://security-tracker.debian.org/tracker/CVE-2018-18505

Url: https://access.redhat.com/errata/RHSA-2019:0270

Url: https://bugzilla.mozilla.org/show_bug.cgi?id=1087565

Url: https://www.debian.org/security/2019/dsa-4376

Url: https://lists.debian.org/debian-lts-announce/2019/02/msg00024.html

Url: https://access.redhat.com/errata/RHSA-2019:0218

Url: https://usn.ubuntu.com/3897-1/

Url: https://usn.ubuntu.com/3874-1/

Url: https://access.redhat.com/errata/RHSA-2019:0219

Url: https://www.mend.io/vulnerability-database/CVE-2018-18505

Severity Score

10.0

Weakness Type (CWE)

Authentication Issues

CWE-287

Permissions, Privileges, and Access Control

CWE-264

CVSS v3.1

Base Score:	10.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-18505

Date: February 5, 2019

Language: Unix

Severity Score

Related Resources (23)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?