#VU87104 Information disclosure in Mozilla Thunderbird


Published: 2024-03-05

Vulnerability identifier: #VU87104

Vulnerability risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-1936

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Thunderbird
Client/Desktop applications / Messaging software

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error in Thunderbird when handling local cache. The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 115.0 - 115.8.0

External links
http://bugzilla.mozilla.org/show_bug.cgi?id=1860977
http://www.mozilla.org/security/advisories/mfsa2024-11/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Oracle Linux
CentOS 7 update for thunderbird
Red Hat Enterprise Linux 8 update for thunderbird
Red Hat Enterprise Linux 8 update for thunderbird
Red Hat Enterprise Linux 8.6 Extended Update Support update for thunderbird
Red Hat Enterprise Linux 8.8 Extended Update Support update for thunderbird
Red Hat Enterprise Linux 9.0 Extended Update Support update for thunderbird
Red Hat Enterprise Linux 7 update for thunderbird
Red Hat Enterprise Linux 8 update for thunderbird
Red Hat Enterprise Linux 9 update for thunderbird