Amazon Linux 2 : thunderbird, --advisory ALAS2-2025-3052 (ALAS-2025-3052)

🗓️ 28 Oct 2025 00:00:00Reported by TenableType

Thunderbird on Amazon Linux 2 is older than 140.4.0-1 and affected by multiple CVEs under advisory ALAS2-2025-3052.

Reporter	Title	Published	Views	Family All 774
FreeBSD	Mozilla -- Memory safety bugs	14 Oct 202500:00	–	freebsd
FreeBSD	Mozilla -- Memory safety bugs	14 Oct 202500:00	–	freebsd
FreeBSD	Mozilla -- XSS in sites without content-type header	14 Oct 202500:00	–	freebsd
FreeBSD	Mozilla -- Use-after-free	14 Oct 202500:00	–	freebsd
FreeBSD	Mozilla -- Out-of-bounds reads and writes	14 Oct 202500:00	–	freebsd
FreeBSD	Mozilla -- Memory disclosure	14 Oct 202500:00	–	freebsd
FreeBSD	Mozilla -- JavaScript Object property overriding	14 Oct 202500:00	–	freebsd
IBM Security Bulletins	Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities	15 Apr 202503:04	–	ibm
ATTACKERKB	CVE-2025-11709	14 Oct 202512:27	–	attackerkb
ATTACKERKB	CVE-2025-11710	14 Oct 202512:27	–	attackerkb

Source	Link
alas	www.alas.aws.amazon.com//AL2/ALAS2-2025-3052.html
alas	www.alas.aws.amazon.com/faqs.html
explore	www.explore.alas.aws.amazon.com/CVE-2024-5197.html
explore	www.explore.alas.aws.amazon.com/CVE-2025-11708.html
explore	www.explore.alas.aws.amazon.com/CVE-2025-11709.html
explore	www.explore.alas.aws.amazon.com/CVE-2025-11710.html
explore	www.explore.alas.aws.amazon.com/CVE-2025-11711.html
explore	www.explore.alas.aws.amazon.com/CVE-2025-11712.html
explore	www.explore.alas.aws.amazon.com/CVE-2025-11714.html
explore	www.explore.alas.aws.amazon.com/CVE-2025-11715.html

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2025-3052.
##

include('compat.inc');

if (description)
{
  script_id(271746);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/21");

  script_cve_id(
    "CVE-2024-5197",
    "CVE-2025-11708",
    "CVE-2025-11709",
    "CVE-2025-11710",
    "CVE-2025-11711",
    "CVE-2025-11712",
    "CVE-2025-11714",
    "CVE-2025-11715"
  );
  script_xref(name:"IAVA", value:"2025-A-0743-S");

  script_name(english:"Amazon Linux 2 : thunderbird, --advisory ALAS2-2025-3052 (ALAS-2025-3052)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of thunderbird installed on the remote host is prior to 140.4.0-1. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2-2025-3052 advisory.

    There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a
    large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of
    buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling
    vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer
    overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t
    struct may be invalid. We recommend upgrading to version 1.14.1 or beyond (CVE-2024-5197)

    Use-after-free in MediaTrackGraphImpl::GetInstance() This vulnerability affects Firefox < 144, Firefox ESR
    < 140.4, Thunderbird < 144, and Thunderbird < 140.4. (CVE-2025-11708)

    A compromised web process was able to trigger out of bounds reads and writes in a more privileged process
    using manipulated WebGL textures. This vulnerability affects Firefox < 144, Firefox ESR < 115.29, Firefox
    ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. (CVE-2025-11709)

    A compromised web process using malicious IPC messages could have caused the privileged browser process to
    reveal blocks of its memory to the compromised process. This vulnerability affects Firefox < 144, Firefox
    ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. (CVE-2025-11710)

    There was a way to change the value of JavaScript Object properties that were supposed to be non-
    writeable. This vulnerability affects Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4,
    Thunderbird < 144, and Thunderbird < 140.4. (CVE-2025-11711)

    A malicious page could have used the type attribute of an OBJECT tag to override the default browser
    behavior when encountering a web resource served without a content-type. This could have contributed to an
    XSS on a site that unsafely serves files without a content-type header. This vulnerability affects Firefox
    < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. (CVE-2025-11712)

    Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143
    and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with
    enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects
    Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.
    (CVE-2025-11714)

    Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143.
    Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of
    these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 144, Firefox
    ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. (CVE-2025-11715)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com//AL2/ALAS2-2025-3052.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-5197.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-11708.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-11709.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-11710.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-11711.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-11712.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-11714.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-11715.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update thunderbird' or
  or 'yum update --advisory ALAS2-2025-3052' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-5197");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/06/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/10/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:thunderbird");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'thunderbird-140.4.0-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},
    {'reference':'thunderbird-140.4.0-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "thunderbird");
}

21 Jan 2026 00:00Current

8High risk

Vulners AI Score8

CVSS 3.19.1 - 9.8

CVSS 45.9

EPSS0.00325

SSVC