Release Date: | 2024-03-04 |
The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects Thunderbird < 115.8.1.
See more information about CVE-2024-1936 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.
Base Score: | 7.5 | Base Metrics: | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
Access Vector: | Network | Attack Complexity: | High |
Privileges Required: | None | User Interaction: | Required |
Scope: | Unchanged | Confidentiality Impact: | High |
Integrity Impact: | High | Availability Impact: | High |
Platform | Errata | Release Date |
Oracle Linux version 7 (thunderbird) | ELSA-2024-1498 | 2024-03-25 |
Oracle Linux version 8 (thunderbird) | ELSA-2024-1494 | 2024-03-26 |
Oracle Linux version 9 (thunderbird) | ELSA-2024-1493 | 2024-03-26 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team