Lucene search

UbuntuUSN-6669-1

HistoryMar 04, 2024 - 12:00 a.m.

Thunderbird vulnerabilities

2024-03-0400:00:00

ubuntu.com

thunderbird

ubuntu

security issues

denial of service

sensitive information

bypass security restrictions

arbitrary code

memory management

networking channel

http responses

set-cookie

32-bit arm devices

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

Low

EPSS

0.001

Percentile

33.5%

JSON

Releases

Ubuntu 23.10
Ubuntu 22.04 LTS
Ubuntu 20.04 LTS

Packages

thunderbird - Mozilla Open Source mail and newsgroup client

Details

Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code. (CVE-2024-0741, CVE-2024-0742,
CVE-2024-0747, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753,
CVE-2024-0755, CVE-2024-1547, CVE-2024-1548, CVE-2024-1549, CVE-2024-1550,
CVE-2024-1553, CVE-2024-1936)

Cornel Ionce discovered that Thunderbird did not properly manage memory when
opening the print preview dialog. An attacker could potentially exploit
this issue to cause a denial of service. (CVE-2024-0746)

Alfred Peters discovered that Thunderbird did not properly manage memory when
storing and re-accessing data on a networking channel. An attacker could
potentially exploit this issue to cause a denial of service. (CVE-2024-1546)

Johan Carlsson discovered that Thunderbird incorrectly handled Set-Cookie
response headers in multipart HTTP responses. An attacker could potentially
exploit this issue to inject arbitrary cookie values. (CVE-2024-1551)

Gary Kwong discovered that Thunderbird incorrectly generated codes on 32-bit
ARM devices, which could lead to unexpected numeric conversions or undefined
behaviour. An attacker could possibly use this issue to cause a denial of
service. (CVE-2024-1552)

OSVersionArchitecturePackageVersionFilename
Ubuntu23.10noarchthunderbird< 1:115.8.1+build1-0ubuntu0.23.10.1UNKNOWN
Ubuntu23.10noarchthunderbird-dbg< 1:115.8.1+build1-0ubuntu0.23.10.1UNKNOWN
Ubuntu23.10noarchthunderbird-dev< 1:115.8.1+build1-0ubuntu0.23.10.1UNKNOWN
Ubuntu23.10noarchthunderbird-gnome-support< 1:115.8.1+build1-0ubuntu0.23.10.1UNKNOWN
Ubuntu23.10noarchthunderbird-gnome-support-dbg< 1:115.8.1+build1-0ubuntu0.23.10.1UNKNOWN
Ubuntu23.10noarchthunderbird-locale-af< 1:115.8.1+build1-0ubuntu0.23.10.1UNKNOWN
Ubuntu23.10noarchthunderbird-locale-ar< 1:115.8.1+build1-0ubuntu0.23.10.1UNKNOWN
Ubuntu23.10noarchthunderbird-locale-ast< 1:115.8.1+build1-0ubuntu0.23.10.1UNKNOWN
Ubuntu23.10noarchthunderbird-locale-be< 1:115.8.1+build1-0ubuntu0.23.10.1UNKNOWN
Ubuntu23.10noarchthunderbird-locale-bg< 1:115.8.1+build1-0ubuntu0.23.10.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Ubuntu	23.10	noarch	thunderbird	< 1:115.8.1+build1-0ubuntu0.23.10.1	UNKNOWN
Ubuntu	23.10	noarch	thunderbird-dbg	< 1:115.8.1+build1-0ubuntu0.23.10.1	UNKNOWN
Ubuntu	23.10	noarch	thunderbird-dev	< 1:115.8.1+build1-0ubuntu0.23.10.1	UNKNOWN
Ubuntu	23.10	noarch	thunderbird-gnome-support	< 1:115.8.1+build1-0ubuntu0.23.10.1	UNKNOWN
Ubuntu	23.10	noarch	thunderbird-gnome-support-dbg	< 1:115.8.1+build1-0ubuntu0.23.10.1	UNKNOWN
Ubuntu	23.10	noarch	thunderbird-locale-af	< 1:115.8.1+build1-0ubuntu0.23.10.1	UNKNOWN
Ubuntu	23.10	noarch	thunderbird-locale-ar	< 1:115.8.1+build1-0ubuntu0.23.10.1	UNKNOWN
Ubuntu	23.10	noarch	thunderbird-locale-ast	< 1:115.8.1+build1-0ubuntu0.23.10.1	UNKNOWN
Ubuntu	23.10	noarch	thunderbird-locale-be	< 1:115.8.1+build1-0ubuntu0.23.10.1	UNKNOWN
Ubuntu	23.10	noarch	thunderbird-locale-bg	< 1:115.8.1+build1-0ubuntu0.23.10.1	UNKNOWN