Debian update for thunderbird
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769 CVE-2024-4770 CVE-2024-4777 |
| CWE-ID | CWE-843 CWE-399 CWE-357 CWE-209 CWE-416 CWE-119 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
Debian Linux Operating systems & Components / Operating system thunderbird (Debian package) Operating systems & Components / Operating system package or component |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Type Confusion
EUVDB-ID: #VU89537
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2024-4367
CWE-ID:
CWE-843 - Type confusion
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when handling fonts in PDF.js. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate thunderbird package to one of the following versions: 1:115.11.0-1~deb11u1, 1:115.11.0-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
thunderbird (Debian package): before 1:115.11.0-1~deb12u1
CPE2.3 External linkshttp://lists.debian.org/debian-security-announce/2024/msg00103.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Resource management error
EUVDB-ID: #VU89538
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-4767
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to browser does not delete IndexedDB files after browser window is closed if the `browser.privatebrowsing.autostart` preference is enabled. A local user can view the file and gain access to data browsed in private browsing mode.
Update thunderbird package to one of the following versions: 1:115.11.0-1~deb11u1, 1:115.11.0-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
thunderbird (Debian package): before 1:115.11.0-1~deb12u1
CPE2.3 External linkshttp://lists.debian.org/debian-security-announce/2024/msg00103.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Insufficient UI warning of dangerous operations
EUVDB-ID: #VU89540
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-4768
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform clickjacking attack.
The vulnerability exists due to an error in the popup notifications' interaction with WebAuthn. A remote attacker can trick the victim into granting permissions to a malicious web application.
Update thunderbird package to one of the following versions: 1:115.11.0-1~deb11u1, 1:115.11.0-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
thunderbird (Debian package): before 1:115.11.0-1~deb12u1
CPE2.3 External linkshttp://lists.debian.org/debian-security-announce/2024/msg00103.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information Exposure Through an Error Message
EUVDB-ID: #VU89547
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-4769
CWE-ID:
CWE-209 - Information Exposure Through an Error Message
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to browser issues different error messages for application/javascript responses and non-script responses when importing resources using Web Workers. A remote attacker can trick the victim to visit a specially crafted website and learn information cross-origin
MitigationUpdate thunderbird package to one of the following versions: 1:115.11.0-1~deb11u1, 1:115.11.0-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
thunderbird (Debian package): before 1:115.11.0-1~deb12u1
CPE2.3 External linkshttp://lists.debian.org/debian-security-announce/2024/msg00103.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free
EUVDB-ID: #VU89548
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-4770
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the browser.
The vulnerability exists due to a use-after-free error when saving a page to PDF. A remote attacker can trick the victim to save a specially crafted web page to PDF and crash the browser.
Update thunderbird package to one of the following versions: 1:115.11.0-1~deb11u1, 1:115.11.0-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
thunderbird (Debian package): before 1:115.11.0-1~deb12u1
CPE2.3 External linkshttp://lists.debian.org/debian-security-announce/2024/msg00103.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Buffer overflow
EUVDB-ID: #VU89549
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-4777
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate thunderbird package to one of the following versions: 1:115.11.0-1~deb11u1, 1:115.11.0-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
thunderbird (Debian package): before 1:115.11.0-1~deb12u1
CPE2.3 External linkshttp://lists.debian.org/debian-security-announce/2024/msg00103.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
