Описание
If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1.
Отчет
Upstream decided to not fix this issue in Firefox ESR 60.2 given the low impact. A future ESR update may correct this flaw.
This flaw would impact users who had saved passwords from Firefox 58 or earlier that were not protected by a master password (resulting in an un-encrypted key3.db), but set a master password when using Firefox 59 or newer (resulting in an encrypted key4.db). The old key file was kept around to facilitate downgrading to Firefox 58.
This flaw cannot be exploited through email in Thunderbird as scripting is disabled in this for email content. It may be possible to exploit through Feeds (Atom or RSS) or other browser-like contexts.
Меры по смягчению последствий
To mitigate against this flaw, examine user profile directories for the presence of both key3.db and key4.db files. If both are present, key3.db should be deleted.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | firefox | Not affected | ||
| Red Hat Enterprise Linux 8 | thunderbird | Will not fix | ||
| Red Hat Enterprise Linux 6 | firefox | Fixed | RHSA-2018:2834 | 27.09.2018 |
| Red Hat Enterprise Linux 6 | thunderbird | Fixed | RHSA-2018:3403 | 30.10.2018 |
| Red Hat Enterprise Linux 7 | firefox | Fixed | RHSA-2018:2835 | 27.09.2018 |
| Red Hat Enterprise Linux 7 | thunderbird | Fixed | RHSA-2018:3458 | 05.11.2018 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1.
If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1.
If a user saved passwords before Firefox 58 and then later set a maste ...
If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1.
Уязвимость веб-браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с хранением паролей в незашифрованном виде, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
EPSS
5.5 Medium
CVSS3