Vulnerability CVE-2018-5109

Vulnerability Name:

CVE-2018-5109 (CCN-138155)

Assigned:

2018-01-23

Published:

2018-01-23

Updated:

2018-06-25

Summary:

An audio capture session can started under an incorrect origin from the site making the capture request. Users are still prompted to allow the request but the prompt can display the wrong origin, leading to user confusion about which site is making the request to capture an audio stream. This vulnerability affects Firefox < 58.

CVSS v3 Severity:

5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-346

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2018-5109

Source: BID
Type: Third Party Advisory, VDB Entry
102786

Source: CCN
Type: BID-102786
Mozilla Firefox MFSA2018-02 Multiple Security Vulnerabilities

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1040270

Source: CONFIRM
Type: Issue Tracking, Permissions Required
https://bugzilla.mozilla.org/show_bug.cgi?id=1405599

Source: XF
Type: UNKNOWN
firefox-cve20185109-sec-bypass(138155)

Source: UBUNTU
Type: Third Party Advisory
USN-3544-1

Source: CCN
Type: Mozilla Foundation Security Advisory 2018-02
Security vulnerabilities fixed in Firefox 58

Source: CONFIRM
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-02/

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version <= 57.0.4)

Configuration 2:

cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20185109	V	CVE-2018-5109	2022-06-30
oval:org.opensuse.security:def:111899	P	MozillaFirefox-92.0-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105476	P	MozillaFirefox-92.0-1.2 on GA media (Moderate)	2021-10-01
oval:com.ubuntu.artful:def:20185109000	V	CVE-2018-5109 on Ubuntu 17.10 (artful) - medium.	2018-06-11
oval:com.ubuntu.bionic:def:20185109000	V	CVE-2018-5109 on Ubuntu 18.04 LTS (bionic) - medium.	2018-06-11
oval:com.ubuntu.bionic:def:201851090000000	V	CVE-2018-5109 on Ubuntu 18.04 LTS (bionic) - medium.	2018-06-11
oval:com.ubuntu.trusty:def:20185109000	V	CVE-2018-5109 on Ubuntu 14.04 LTS (trusty) - medium.	2018-06-11
oval:com.ubuntu.xenial:def:201851090000000	V	CVE-2018-5109 on Ubuntu 16.04 LTS (xenial) - medium.	2018-06-11
oval:com.ubuntu.xenial:def:20185109000	V	CVE-2018-5109 on Ubuntu 16.04 LTS (xenial) - medium.	2018-06-11

BACK