CVE Vulnerabilities

CVE-2018-5163

Improper Preservation of Permissions

Published: Jun 11, 2018 | Modified: Oct 03, 2019
CVSS 3.x
8.1
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
5.1 MEDIUM
AV:N/AC:H/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
8.1 MODERATE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

If a malicious attacker has used another vulnerability to gain full control over a content process, they may be able to replace the alternate data resources stored in the JavaScript Start-up Bytecode Cache (JSBC) for other JavaScript code. If the parent process then runs this replaced code, the executed script would be run with the parent process privileges, escaping the sandbox on content processes. This vulnerability affects Firefox < 60.

Weakness

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

Affected Software

Name Vendor Start Version End Version
Ubuntu_linux Canonical 14.04 (including) 14.04 (including)
Ubuntu_linux Canonical 16.04 (including) 16.04 (including)
Ubuntu_linux Canonical 17.10 (including) 17.10 (including)
Ubuntu_linux Canonical 18.04 (including) 18.04 (including)
Firefox Ubuntu artful *
Firefox Ubuntu bionic *
Firefox Ubuntu devel *
Firefox Ubuntu trusty *
Firefox Ubuntu upstream *
Firefox Ubuntu xenial *

References