Vulnerability Name:

CVE-2018-5185 (CCN-143564)

Assigned:2018-05-18
Published:2018-05-18
Updated:2019-10-03
Summary:Plaintext of decrypted emails can leak through by user submitting an embedded form. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
6.5 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
5.7 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.9 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-311
CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2018-5185

Source: BID
Type: Third Party Advisory, VDB Entry
104240

Source: CCN
Type: BID-104240
Mozilla Thunderbird Prior to 52.8 Multiple Information Disclosure Vulnerabilities

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1040946

Source: REDHAT
Type: Third Party Advisory
RHSA-2018:1725

Source: REDHAT
Type: Third Party Advisory
RHSA-2018:1726

Source: CONFIRM
Type: Issue Tracking, Permissions Required, Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1450345

Source: XF
Type: UNKNOWN
mozilla-thunderbird-cve20185185-info-disc(143564)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20180525 [SECURITY] [DLA 1382-1] thunderbird security update

Source: GENTOO
Type: Third Party Advisory
GLSA-201811-13

Source: UBUNTU
Type: Third Party Advisory
USN-3660-1

Source: DEBIAN
Type: Third Party Advisory
DSA-4209

Source: CCN
Type: Mozilla Foundation Security Advisory 2018-13
Security vulnerabilities fixed in Thunderbird 52.8

Source: CONFIRM
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-13/

Vulnerable Configuration:Configuration 1:
  • cpe:/o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/o:debian:debian_linux:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

  • Configuration 4:
  • cpe:/a:mozilla:thunderbird:*:*:*:*:*:*:*:* (Version < 52.8.0)
  • OR cpe:/a:mozilla:thunderbird_esr:*:*:*:*:*:*:*:* (Version < 52.8.0)

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

  • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

  • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

  • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

  • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

  • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

  • Configuration RedHat 8:
  • cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:mozilla:thunderbird:52.7:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:645
    P
    Security update for php7 (Moderate) (in QA)
    2022-10-04
    oval:org.opensuse.security:def:20185185
    V
    CVE-2018-5185
    2022-09-02
    oval:org.opensuse.security:def:3546
    P
    libICE6-1.0.8-12.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:95176
    P
    MozillaThunderbird-91.8.0-150200.8.65.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:1693
    P
    Security update for stunnel (Important)
    2022-03-16
    oval:org.opensuse.security:def:111905
    P
    MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:64678
    P
    Security update for apache2 (Important)
    2022-01-17
    oval:org.opensuse.security:def:1137
    P
    Security update for the Linux Kernel (Important)
    2021-11-16
    oval:org.opensuse.security:def:105478
    P
    MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:66933
    P
    Security update for gd (Moderate)
    2021-09-27
    oval:org.opensuse.security:def:71352
    P
    openssh-7.9p1-4.7 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:64765
    P
    Security update for ghostscript (Critical)
    2021-09-15
    oval:org.opensuse.security:def:70289
    P
    Security update for libesmtp (Important)
    2021-09-03
    oval:org.opensuse.security:def:47794
    P
    libtasn1-4.9-3.5.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47620
    P
    git-core-2.12.3-27.14.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48320
    P
    sysvinit-tools-2.88+-101.3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47673
    P
    libXdmcp6-1.1.1-12.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48172
    P
    libpng12-0-1.2.50-19.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47659
    P
    krb5-appl-clients-1.0.3-1.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48080
    P
    libXinerama1-1.1.3-3.54 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47619
    P
    giflib-progs-5.0.5-12.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48211
    P
    libunwind-1.1-11.3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47948
    P
    apache-commons-httpclient-3.1-4.364 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48119
    P
    libgraphite2-3-1.3.1-10.3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47755
    P
    libopenssl1_1-1.1.1-1.9 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47658
    P
    krb5-1.12.5-40.28.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47987
    P
    cyrus-sasl-2.1.26-8.7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47634
    P
    gstreamer-plugins-base-1.8.3-12.11 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:101020
    P
    minicom-2.7.1-1.19 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1732
    P
    open-vm-tools-desktop-11.2.5-1.17 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1098
    P
    libopenjp2-7-2.3.0-1.25 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1773
    P
    Security update for MozillaThunderbird (Important)
    2021-07-22
    oval:org.opensuse.security:def:68012
    P
    Security update for the Linux Kernel (Live Patch 16 for SLE 15 SP1) (Important)
    2021-07-14
    oval:org.opensuse.security:def:66841
    P
    Security update for freeradius-server (Moderate)
    2021-06-23
    oval:org.opensuse.security:def:48776
    P
    gnome-shell-calendar-3.20.4-70.4 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:2435
    P
    MozillaThunderbird-52.8-1.2 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48657
    P
    yast2-3.1.206-36.3 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48886
    P
    telepathy-gabble-0.18.3-5.7 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48745
    P
    libsilc-1_1-2-1.1.10-24.128 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48573
    P
    libzip2-0.11.1-12.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48815
    P
    raptor-2.0.10-3.67 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48680
    P
    libIlmImf-Imf_2_1-21-32bit-2.1.0-4.5 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48359
    P
    DirectFB-1.7.1-6.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48784
    P
    libFLAC++6-32bit-1.3.0-11.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48719
    P
    freerdp-1.0.2-7.9 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48618
    P
    rsyslog-8.4.0-14.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48847
    P
    lhasa-0.2.0-5.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:63524
    P
    MozillaThunderbird-52.8-1.2 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48534
    P
    libpng12-0-1.2.50-13.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:73624
    P
    Security update for graphviz (Critical)
    2021-05-19
    oval:org.opensuse.security:def:68112
    P
    Security update for the Linux Kernel (Live Patch 14 for SLE 15 SP1) (Important)
    2021-03-17
    oval:org.opensuse.security:def:94307
    P
    MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:71465
    P
    cups-filters-1.25.0-1.107 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63563
    P
    MozillaThunderbird-60.6.1-3.28.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:2474
    P
    MozillaThunderbird-60.6.1-3.28.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:117201
    P
    MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63604
    P
    MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:103747
    P
    MozillaThunderbird-60.6.1-3.28.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:2515
    P
    MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:90092
    P
    MozillaThunderbird-60.6.1-3.28.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:107686
    P
    MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:26427
    P
    Security update for python-Django (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25299
    P
    Security update for webkit2gtk3 (Important)
    2020-12-01
    oval:org.opensuse.security:def:50080
    P
    libvirt on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50173
    P
    MozillaThunderbird on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25218
    P
    Security update for samba (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50119
    P
    apache2-mod_php7 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25091
    P
    Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:25643
    P
    Security update for hunspell (Low)
    2020-12-01
    oval:org.opensuse.security:def:50214
    P
    MozillaThunderbird on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25027
    P
    Security update for expat (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25789
    P
    Security update for flash-player (Critical)
    2020-12-01
    oval:org.opensuse.security:def:25016
    P
    Security update for qemu (Important)
    2020-12-01
    oval:org.opensuse.security:def:25590
    P
    Security update for dovecot22 (Important)
    2020-12-01
    oval:org.opensuse.security:def:26462
    P
    Security update for Mozilla Thunderbird (Important)
    2020-12-01
    oval:org.opensuse.security:def:50160
    P
    libpskc-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:73506
    P
    jcl-over-slf4j on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25745
    P
    Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:25440
    P
    Security update for python-xdg (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:70184
    P
    osc on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25731
    P
    Security update for memcached (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50134
    P
    MozillaThunderbird on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25356
    P
    Security update for MozillaFirefox (Important)
    2020-12-01
    oval:com.ubuntu.bionic:def:201851850000000
    V
    CVE-2018-5185 on Ubuntu 18.04 LTS (bionic) - medium.
    2018-06-11
    oval:com.ubuntu.trusty:def:20185185000
    V
    CVE-2018-5185 on Ubuntu 14.04 LTS (trusty) - medium.
    2018-06-11
    oval:com.ubuntu.xenial:def:201851850000000
    V
    CVE-2018-5185 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-06-11
    oval:com.ubuntu.xenial:def:20185185000
    V
    CVE-2018-5185 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-06-11
    oval:com.ubuntu.artful:def:20185185000
    V
    CVE-2018-5185 on Ubuntu 17.10 (artful) - medium.
    2018-06-11
    oval:com.ubuntu.bionic:def:20185185000
    V
    CVE-2018-5185 on Ubuntu 18.04 LTS (bionic) - medium.
    2018-06-11
    oval:com.redhat.rhsa:def:20181725
    P
    RHSA-2018:1725: thunderbird security update (Important)
    2018-05-24
    oval:com.redhat.rhsa:def:20181726
    P
    RHSA-2018:1726: thunderbird security update (Important)
    2018-05-24
    BACK
    redhat enterprise linux desktop 6.0
    redhat enterprise linux desktop 7.0
    redhat enterprise linux server 6.0
    redhat enterprise linux server 7.0
    redhat enterprise linux server aus 7.6
    redhat enterprise linux server eus 7.5
    redhat enterprise linux server eus 7.6
    redhat enterprise linux server tus 7.6
    redhat enterprise linux workstation 6.0
    redhat enterprise linux workstation 7.0
    debian debian linux 7.0
    debian debian linux 8.0
    debian debian linux 9.0
    canonical ubuntu linux 14.04
    canonical ubuntu linux 16.04
    canonical ubuntu linux 17.10
    canonical ubuntu linux 18.04
    mozilla thunderbird *
    mozilla thunderbird esr *
    mozilla thunderbird 52.7