github - ghsa-cvcq-m8cv-7r6g

ghsa-cvcq-m8cv-7r6g

Vulnerability from github

Published

2022-05-13 01:49

Modified

2022-05-13 01:49

Severity ?

5.5 (Medium) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-12383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-18T13:29:00Z",
    "severity": "MODERATE"
  },
  "details": "If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox \u003c 62, Firefox ESR \u003c 60.2.1, and Thunderbird \u003c 60.2.1.",
  "id": "GHSA-cvcq-m8cv-7r6g",
  "modified": "2022-05-13T01:49:35Z",
  "published": "2022-05-13T01:49:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12383"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2834"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2835"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3403"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3458"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1475775"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201810-01"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201811-13"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3761-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3793-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4304"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4327"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2018-20"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2018-23"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2018-25"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105276"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041610"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041701"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cve-2018-12383

Vulnerability from cvelistv5

Published

2018-10-18 13:00

Modified

2024-08-05 08:30

Severity ?

Summary

References

▼	URL	Tags
	https://security.gentoo.org/glsa/201810-01	vendor-advisory, x_refsource_GENTOO
	https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html	mailing-list, x_refsource_MLIST
	https://security.gentoo.org/glsa/201811-13	vendor-advisory, x_refsource_GENTOO
	https://bugzilla.mozilla.org/show_bug.cgi?id=1475775	x_refsource_CONFIRM
	https://www.debian.org/security/2018/dsa-4327	vendor-advisory, x_refsource_DEBIAN
	https://www.mozilla.org/security/advisories/mfsa2018-23/	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2018:2835	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2018:3403	vendor-advisory, x_refsource_REDHAT
	https://www.mozilla.org/security/advisories/mfsa2018-20/	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1041610	vdb-entry, x_refsource_SECTRACK
	http://www.securityfocus.com/bid/105276	vdb-entry, x_refsource_BID
	http://www.securitytracker.com/id/1041701	vdb-entry, x_refsource_SECTRACK
	https://access.redhat.com/errata/RHSA-2018:3458	vendor-advisory, x_refsource_REDHAT
	https://www.debian.org/security/2018/dsa-4304	vendor-advisory, x_refsource_DEBIAN
	https://access.redhat.com/errata/RHSA-2018:2834	vendor-advisory, x_refsource_REDHAT
	https://usn.ubuntu.com/3793-1/	vendor-advisory, x_refsource_UBUNTU
	https://www.mozilla.org/security/advisories/mfsa2018-25/	x_refsource_CONFIRM
	https://usn.ubuntu.com/3761-1/	vendor-advisory, x_refsource_UBUNTU

Impacted products

▼	Vendor	Product
	Mozilla	Firefox
	Mozilla	Firefox ESR
	Mozilla	Thunderbird

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T08:30:59.923Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "GLSA-201810-01",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201810-01"
          },
          {
            "name": "[debian-lts-announce] 20181112 [SECURITY] [DLA 1575-1] thunderbird security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html"
          },
          {
            "name": "GLSA-201811-13",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201811-13"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1475775"
          },
          {
            "name": "DSA-4327",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4327"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2018-23/"
          },
          {
            "name": "RHSA-2018:2835",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2835"
          },
          {
            "name": "RHSA-2018:3403",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3403"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2018-20/"
          },
          {
            "name": "1041610",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041610"
          },
          {
            "name": "105276",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/105276"
          },
          {
            "name": "1041701",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041701"
          },
          {
            "name": "RHSA-2018:3458",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3458"
          },
          {
            "name": "DSA-4304",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4304"
          },
          {
            "name": "RHSA-2018:2834",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2834"
          },
          {
            "name": "USN-3793-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3793-1/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2018-25/"
          },
          {
            "name": "USN-3761-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3761-1/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "62",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "60.2.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "60.2.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2018-09-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox \u003c 62, Firefox ESR \u003c 60.2.1, and Thunderbird \u003c 60.2.1."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-11-25T10:57:01",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "name": "GLSA-201810-01",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201810-01"
        },
        {
          "name": "[debian-lts-announce] 20181112 [SECURITY] [DLA 1575-1] thunderbird security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html"
        },
        {
          "name": "GLSA-201811-13",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201811-13"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1475775"
        },
        {
          "name": "DSA-4327",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4327"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2018-23/"
        },
        {
          "name": "RHSA-2018:2835",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2835"
        },
        {
          "name": "RHSA-2018:3403",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3403"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2018-20/"
        },
        {
          "name": "1041610",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041610"
        },
        {
          "name": "105276",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/105276"
        },
        {
          "name": "1041701",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041701"
        },
        {
          "name": "RHSA-2018:3458",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3458"
        },
        {
          "name": "DSA-4304",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4304"
        },
        {
          "name": "RHSA-2018:2834",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2834"
        },
        {
          "name": "USN-3793-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3793-1/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2018-25/"
        },
        {
          "name": "USN-3761-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3761-1/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2018-12383",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Firefox",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "62"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Firefox ESR",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "60.2.1"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Thunderbird",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "60.2.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox \u003c 62, Firefox ESR \u003c 60.2.1, and Thunderbird \u003c 60.2.1."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "GLSA-201810-01",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201810-01"
            },
            {
              "name": "[debian-lts-announce] 20181112 [SECURITY] [DLA 1575-1] thunderbird security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html"
            },
            {
              "name": "GLSA-201811-13",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201811-13"
            },
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1475775",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1475775"
            },
            {
              "name": "DSA-4327",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4327"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2018-23/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2018-23/"
            },
            {
              "name": "RHSA-2018:2835",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2835"
            },
            {
              "name": "RHSA-2018:3403",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:3403"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2018-20/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2018-20/"
            },
            {
              "name": "1041610",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041610"
            },
            {
              "name": "105276",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/105276"
            },
            {
              "name": "1041701",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041701"
            },
            {
              "name": "RHSA-2018:3458",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:3458"
            },
            {
              "name": "DSA-4304",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4304"
            },
            {
              "name": "RHSA-2018:2834",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2834"
            },
            {
              "name": "USN-3793-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3793-1/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2018-25/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2018-25/"
            },
            {
              "name": "USN-3761-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3761-1/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2018-12383",
    "datePublished": "2018-10-18T13:00:00",
    "dateReserved": "2018-06-14T00:00:00",
    "dateUpdated": "2024-08-05T08:30:59.923Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted