9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.924 High
EPSS
Percentile
99.0%
Severity: Critical
Date : 2017-03-10
CVE-ID : CVE-2017-5398 CVE-2017-5400 CVE-2017-5401 CVE-2017-5402
CVE-2017-5404 CVE-2017-5405 CVE-2017-5407 CVE-2017-5408
CVE-2017-5410
Package : thunderbird
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-193
The package thunderbird before version 45.8.0-1 is vulnerable to
multiple issues including arbitrary code execution, information
disclosure and content spoofing.
Upgrade to 45.8.0-1.
The problems have been fixed upstream in version 45.8.0.
None.
Several memory safety bugs, some of them leading to memory corruption
issues have been found in Firefox < 52 and Thunderbird < 45.8.
JIT-spray targeting asm.js combined with a heap spray allows for a
bypass of ASLR and DEP protections leading to potential memory
corruption attacks.
A crash triggerable by web content in which an ErrorResult references
unassigned memory due to a logic error.
A use-after-free can occur when events are fired for a FontFace object
after the object has been already been destroyed while working with
fonts.
A use-after-free error can occur when manipulating ranges in selections
with one node inside a native anonymous tree and one node outside of
it. This results in a potentially exploitable crash.
Certain response codes in FTP connections can result in the use of
uninitialized values for ports in FTP operations.
Using SVG filters that donβt use the fixed point math implementation on
a target iframe, a malicious page can extract pixel values from a
targeted user. This can be used to extract history information and read
text values across domains. This violates same-origin policy and leads
to information disclosure.
Video files loaded video captions cross-origin without checking for the
presence of CORS headers permitting such cross-origin use, leading to
potential information disclosure for video captions.
Memory corruption resulting in a potentially exploitable crash during
garbage collection of JavaScript due errors in how incremental sweeping
is managed for memory cleanup.
A remote attacker can access sensitive information, force a user to
connect to a spoofed FTP port or execute arbitrary code on the affected
host.
https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5398
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1332550%2C1332597%2C1338383%2C1321612%2C1322971%2C1333568%2C1333887%2C1335450%2C1325052%2C1324379%2C1336510
https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5400
https://bugzilla.mozilla.org/show_bug.cgi?id=1334933
https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5401
https://bugzilla.mozilla.org/show_bug.cgi?id=1328861
https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5402
https://bugzilla.mozilla.org/show_bug.cgi?id=1334876
https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5404
https://bugzilla.mozilla.org/show_bug.cgi?id=1340138
https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5405
https://bugzilla.mozilla.org/show_bug.cgi?id=1336699
https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5407
https://bugzilla.mozilla.org/show_bug.cgi?id=1336622
https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5408
https://bugzilla.mozilla.org/show_bug.cgi?id=1313711
https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5410
https://bugzilla.mozilla.org/show_bug.cgi?id=1330687
https://security.archlinux.org/CVE-2017-5398
https://security.archlinux.org/CVE-2017-5400
https://security.archlinux.org/CVE-2017-5401
https://security.archlinux.org/CVE-2017-5402
https://security.archlinux.org/CVE-2017-5404
https://security.archlinux.org/CVE-2017-5405
https://security.archlinux.org/CVE-2017-5407
https://security.archlinux.org/CVE-2017-5408
https://security.archlinux.org/CVE-2017-5410
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | thunderbird | <Β 45.8.0-1 | UNKNOWN |
bugzilla.mozilla.org/buglist.cgi?bug_id=1332550%2C1332597%2C1338383%2C1321612%2C1322971%2C1333568%2C1333887%2C1335450%2C1325052%2C1324379%2C1336510
bugzilla.mozilla.org/show_bug.cgi?id=1313711
bugzilla.mozilla.org/show_bug.cgi?id=1328861
bugzilla.mozilla.org/show_bug.cgi?id=1330687
bugzilla.mozilla.org/show_bug.cgi?id=1334876
bugzilla.mozilla.org/show_bug.cgi?id=1334933
bugzilla.mozilla.org/show_bug.cgi?id=1336622
bugzilla.mozilla.org/show_bug.cgi?id=1336699
bugzilla.mozilla.org/show_bug.cgi?id=1340138
security.archlinux.org/AVG-193
security.archlinux.org/CVE-2017-5398
security.archlinux.org/CVE-2017-5400
security.archlinux.org/CVE-2017-5401
security.archlinux.org/CVE-2017-5402
security.archlinux.org/CVE-2017-5404
security.archlinux.org/CVE-2017-5405
security.archlinux.org/CVE-2017-5407
security.archlinux.org/CVE-2017-5408
security.archlinux.org/CVE-2017-5410
www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5407
www.mozilla.org/en-US/security/advisories/mfsa2017-07/
www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5398
www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5400
www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5401
www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5402
www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5404
www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5405
www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5408
www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5410
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.924 High
EPSS
Percentile
99.0%