Vulnerability Description
The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third-party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects Thunderbird < 115.8.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Thunderbird | < 115.8.1 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1860977ExploitIssue TrackingVendor Advisory
- https://lists.debian.org/debian-lts-announce/2024/03/msg00022.htmlMailing List
- https://www.mozilla.org/security/advisories/mfsa2024-11/Vendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1860977ExploitIssue TrackingVendor Advisory
- https://lists.debian.org/debian-lts-announce/2024/03/msg00022.htmlMailing List
- https://www.mozilla.org/security/advisories/mfsa2024-11/Vendor Advisory
FAQ
What is CVE-2024-1936?
CVE-2024-1936 is a vulnerability with a CVSS score of 7.5 (HIGH). The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminate...
How severe is CVE-2024-1936?
CVE-2024-1936 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-1936?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Thunderbird, Debian Debian Linux.