10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.956 High
EPSS
Percentile
99.4%
Benoit Jacob, Olli Pettay, Jan Varga, Jan de Mooij, Jesse Ruderman, Dan
Gohman and Christoph Diehl discovered multiple memory safety issues in
Thunderbird. If a user were tricked in to opening a specially crafted
message with scripting enabled, an attacker could potentially exploit
these to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2014-1493)
Atte Kettunen discovered an out-of-bounds read during WAV file decoding.
If a user had enabled audio, an attacker could potentially exploit this
to cause a denial of service via application crash. (CVE-2014-1497)
Robert O’Callahan discovered a mechanism for timing attacks involving
SVG filters and displacements input to feDisplacementMap. If a user had
enabled scripting, an attacker could potentially exploit this to steal
confidential information across domains. (CVE-2014-1505)
Tyson Smith and Jesse Schwartzentruber discovered an out-of-bounds read
during polygon rendering in MathML. If a user had enabled scripting, an
attacker could potentially exploit this to steal confidential information
across domains. (CVE-2014-1508)
John Thomson discovered a memory corruption bug in the Cairo graphics
library. If a user had a malicious extension installed, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2014-1509)
Mariusz Mlynski discovered that web content could open a chrome privileged
page and bypass the popup blocker in some circumstances. If a user had
enabled scripting, an attacker could potentially exploit this to execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2014-1510, CVE-2014-1511)
It was discovered that memory pressure during garbage collection resulted
in memory corruption in some circumstances. If a user had enabled
scripting, an attacker could potentially exploit this to cause a denial
of service via application crash or execute arbitrary code with the
privileges of the user invoking Thunderbird. (CVE-2014-1512)
Jüri Aedla discovered out-of-bounds reads and writes with TypedArrayObject
in some circumstances. If a user had enabled scripting, an attacker could
potentially exploit this to cause a denial of service via application
crash or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2014-1513)
George Hotz discovered an out-of-bounds write with TypedArrayObject. If a
user had enabled scripting, an attacker could potentially exploit this to
cause a denial of service via application crash or execute arbitrary code
with the privileges of the user invoking Thunderbird. (CVE-2014-1514)
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Ubuntu | 13.10 | noarch | thunderbird | < 1:24.4.0+build1-0ubuntu0.13.10.2 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-dbg | < 1:24.4.0+build1-0ubuntu0.13.10.2 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-dev | < 1:24.4.0+build1-0ubuntu0.13.10.2 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-globalmenu | < 1:24.4.0+build1-0ubuntu0.13.10.2 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-gnome-support | < 1:24.4.0+build1-0ubuntu0.13.10.2 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-gnome-support-dbg | < 1:24.4.0+build1-0ubuntu0.13.10.2 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-locale-af | < 1:24.4.0+build1-0ubuntu0.13.10.2 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-locale-ar | < 1:24.4.0+build1-0ubuntu0.13.10.2 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-locale-ast | < 1:24.4.0+build1-0ubuntu0.13.10.2 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-locale-be | < 1:24.4.0+build1-0ubuntu0.13.10.2 | UNKNOWN |
launchpad.net/bugs/1293851
ubuntu.com/security/CVE-2014-1493
ubuntu.com/security/CVE-2014-1497
ubuntu.com/security/CVE-2014-1505
ubuntu.com/security/CVE-2014-1508
ubuntu.com/security/CVE-2014-1509
ubuntu.com/security/CVE-2014-1510
ubuntu.com/security/CVE-2014-1511
ubuntu.com/security/CVE-2014-1512
ubuntu.com/security/CVE-2014-1513
ubuntu.com/security/CVE-2014-1514
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.956 High
EPSS
Percentile
99.4%