Information disclosure in Mozilla Thunderbird
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-1936 |
| CWE-ID | CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Mozilla Thunderbird Client/Desktop applications / Messaging software |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU87104
Risk: Low
CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-1936
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error in Thunderbird when handling local cache. The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 115.0 - 115.8.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:115.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:115.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:115.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:115.5.1:*:*:*:*:*:*:*
https://bugzilla.mozilla.org/show_bug.cgi?id=1860977
https://www.mozilla.org/security/advisories/mfsa2024-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
