Vulnerability Details : CVE-2024-1936
The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third-party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects Thunderbird < 115.8.1.
Products affected by CVE-2024-1936
Please log in to view affected product information.
Exploit prediction scoring system (EPSS) score for CVE-2024-1936
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 29 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2024-1936
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-08-08 |
CWE ids for CVE-2024-1936
-
The product stores sensitive information without properly limiting read or write access by unauthorized actors.Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
References for CVE-2024-1936
-
https://www.mozilla.org/security/advisories/mfsa2024-11/
Security Vulnerabilities fixed in Thunderbird 115.8.1 — Mozilla
-
https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html
[SECURITY] [DLA 3769-1] thunderbird security update
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1860977
1860977 - (CVE-2024-1936) PGP encryption can change subject of E-Mail if selecting other mail A while large mail B is decrypting
Jump to