CVE-2024-1936

2024-03-0422:15:46

Debian Security Bug Tracker

security-tracker.debian.org

thunderbird

email encryption

data leakage

vulnerability

update

manual action

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

6.5

Confidence

High

EPSS

Percentile

15.5%

JSON

The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird’s local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects Thunderbird < 115.8.1.

OSVersionArchitecturePackageVersionFilename
Debian12allthunderbird< 1:115.9.0-1~deb12u1thunderbird_1:115.9.0-1~deb12u1_all.deb
Debian11allthunderbird< 1:115.9.0-1~deb11u1thunderbird_1:115.9.0-1~deb11u1_all.deb
Debian999allthunderbird< 1:115.8.1-1thunderbird_1:115.8.1-1_all.deb
Debian13allthunderbird< 1:115.8.1-1thunderbird_1:115.8.1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	thunderbird	< 1:115.9.0-1~deb12u1	thunderbird_1:115.9.0-1~deb12u1_all.deb
Debian	11	all	thunderbird	< 1:115.9.0-1~deb11u1	thunderbird_1:115.9.0-1~deb11u1_all.deb
Debian	999	all	thunderbird	< 1:115.8.1-1	thunderbird_1:115.8.1-1_all.deb
Debian	13	all	thunderbird	< 1:115.8.1-1	thunderbird_1:115.8.1-1_all.deb