CVE-2018-12365
Publication date 27 June 2018
Last updated 25 August 2025
Ubuntu priority
Description
A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| firefox | 18.04 LTS bionic |
Fixed 61.0+build3-0ubuntu0.18.04.1
|
| 16.04 LTS xenial |
Fixed 61.0+build3-0ubuntu0.16.04.2
|
|
| 14.04 LTS trusty |
Fixed 61.0+build3-0ubuntu0.14.04.2
|
|
| thunderbird | 18.04 LTS bionic |
Fixed 1:52.9.1+build3-0ubuntu0.18.04.1
|
| 16.04 LTS xenial |
Fixed 1:52.9.1+build3-0ubuntu0.16.04.1
|
|
| 14.04 LTS trusty |
Fixed 1:52.9.1+build3-0ubuntu0.14.04.1
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-3714-1
- Thunderbird vulnerabilities
- 12 July 2018
- USN-3705-1
- Firefox vulnerabilities
- 5 July 2018