PT-2024-2228 · Mozilla+10 · Thunderbird+10

2Paso2

+1

·

Published

2024-03-04

·

Updated

2024-11-26

·

CVE-2024-1936

CVSS v3.1

7.5

High

VectorAV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 115.8.1
Description The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments.
Recommendations To resolve the issue, update to Thunderbird version 115.8.1 or later. As a temporary workaround, consider using the repair folder functionality, which is available from the context menu of email folders, to erase incorrect subject assignments.

Exploit

Fix

Information Disclosure

Insecure Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-922

Related Identifiers

ALSA-2024:1493
ALSA-2024:1494
ALT-PU-2024-3852
ALT-PU-2024-3860
ALT-PU-2024-4748
BDU:2024-02159
CESA-2024_1494
CESA-2024_1498
CVE-2024-1936
DLA-3769-1
DSA-5644-1
MGASA-2024-0054
OPENSUSE-SU-2024:13753-1
RHSA-2024:1492
RHSA-2024:1493
RHSA-2024:1494
RHSA-2024:1495
RHSA-2024:1496
RHSA-2024:1497
RHSA-2024:1498
RHSA-2024:1499
RHSA-2024:1500
RHSA-2024_1493
RHSA-2024_1494
RHSA-2024_1498
RLSA-2024:1494
SUSE-SU-2024:0893-1
SUSE-SU-2024_0893-1
USN-6669-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Thunderbird
Ubuntu