SB2021011013 - Data handling in thunderbird (Alpine package)
Published: January 10, 2021
Security Bulletin ID
SB2021011013
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Data handling (CVE-ID: CVE-2020-35112)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to the way Firefox processes downloaded files without extensions on Windows operating system. If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead.
The vulnerability affects Windows installations only.
Remediation
Install update from vendor's website.