SB2024090903 - Ubuntu update for thunderbird

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024090903

SB2024090903 - Ubuntu update for thunderbird

Published: September 9, 2024 Updated: February 7, 2025

Security Bulletin ID SB2024090903
Severity
High
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 60% Medium 30% Low 10%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.


1) Use-after-free (CVE-ID: CVE-2024-7521)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in WebAssembly. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


2) Use of uninitialized resource (CVE-ID: CVE-2024-7526)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized resources in WebGL ANGLE. A remote attacker can trick the victim to visit a specially crafted website and gain access to sensitive information.


3) Use-after-free (CVE-ID: CVE-2024-7527)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in JavaScript garbage collection. A remote attacker can trick the victim into visiting a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


4) Multiple Interpretations of UI Input (CVE-ID: CVE-2024-7529)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exist due to improper handling of the date picker, which can obscure security prompts. A remote attacker use a malicious site to trick a victim into granting permissions.


5) Exposed dangerous method or function (CVE-ID: CVE-2024-8382)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to internal browser event interfaces are exposed to web content when privileged EventHandler listener callbacks ran for those events. A remote attacker can indicate usage of certain browser features, such as when a user opens the Dev Tools console.


6) Out-of-bounds read (CVE-ID: CVE-2024-7519)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a boundary error when processing graphics shared memory. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds read and bypass browser sandbox.


7) Out-of-bounds read (CVE-ID: CVE-2024-7522)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a boundary error in editor component. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds read and bypass browser sandbox.


8) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-7525)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due missing permission check when creating a StreamFilter. A web extension with minimal permissions can create a StreamFilter, which can be used to read and modify the response body of requests on any site.


9) Type Confusion (CVE-ID: CVE-2024-8381)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error when looking up a property name in a "with" block. A remote attacker can trick the victim into visiting a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


10) Buffer overflow (CVE-ID: CVE-2024-8384)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in JavaScript garbage collector when HTML content. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References