csaf_opensuse - opensuse-su-2017:3434-1

OPENSUSE-SU-2017:3434-1

Vulnerability from csaf_opensuse - Published: 2017-12-24 22:29 - Updated: 2017-12-24 22:29

Summary

Security update for Mozilla Thunderbird

Notes

Title of the patch

Security update for Mozilla Thunderbird

Description of the patch

This update for Mozilla Thunderbird to version 52.5.2 fixes the following vulnerabilities: - CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin (bsc#1074043) - CVE-2017-7847: Local path string can be leaked from RSS feed (bsc#1074044) - CVE-2017-7848: RSS Feed vulnerable to new line Injection (bsc#1074045) - CVE-2017-7829: From address with encoded null character is cut off in message header display (bsc#1074046)

Patchnames

openSUSE-2017-1419

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for Mozilla Thunderbird",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for Mozilla Thunderbird to version 52.5.2 fixes the following vulnerabilities:\n  \n- CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin (bsc#1074043)\n- CVE-2017-7847: Local path string can be leaked from RSS feed (bsc#1074044)\n- CVE-2017-7848: RSS Feed vulnerable to new line Injection (bsc#1074045)\n- CVE-2017-7829: From address with encoded null character is cut off in message header display (bsc#1074046)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2017-1419",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2017_3434-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2017:3434-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AP5ZAGU2HEQMTGXGL2VCNWZVK7AJTIMO/#AP5ZAGU2HEQMTGXGL2VCNWZVK7AJTIMO"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2017:3434-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AP5ZAGU2HEQMTGXGL2VCNWZVK7AJTIMO/#AP5ZAGU2HEQMTGXGL2VCNWZVK7AJTIMO"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1074043",
        "url": "https://bugzilla.suse.com/1074043"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1074044",
        "url": "https://bugzilla.suse.com/1074044"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1074045",
        "url": "https://bugzilla.suse.com/1074045"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1074046",
        "url": "https://bugzilla.suse.com/1074046"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2017-7829 page",
        "url": "https://www.suse.com/security/cve/CVE-2017-7829/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2017-7846 page",
        "url": "https://www.suse.com/security/cve/CVE-2017-7846/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2017-7847 page",
        "url": "https://www.suse.com/security/cve/CVE-2017-7847/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2017-7848 page",
        "url": "https://www.suse.com/security/cve/CVE-2017-7848/"
      }
    ],
    "title": "Security update for Mozilla Thunderbird",
    "tracking": {
      "current_release_date": "2017-12-24T22:29:25Z",
      "generator": {
        "date": "2017-12-24T22:29:25Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2017:3434-1",
      "initial_release_date": "2017-12-24T22:29:25Z",
      "revision_history": [
        {
          "date": "2017-12-24T22:29:25Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "MozillaThunderbird-52.5.2-51.1.x86_64",
                "product": {
                  "name": "MozillaThunderbird-52.5.2-51.1.x86_64",
                  "product_id": "MozillaThunderbird-52.5.2-51.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64",
                "product": {
                  "name": "MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64",
                  "product_id": "MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-devel-52.5.2-51.1.x86_64",
                "product": {
                  "name": "MozillaThunderbird-devel-52.5.2-51.1.x86_64",
                  "product_id": "MozillaThunderbird-devel-52.5.2-51.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-translations-common-52.5.2-51.1.x86_64",
                "product": {
                  "name": "MozillaThunderbird-translations-common-52.5.2-51.1.x86_64",
                  "product_id": "MozillaThunderbird-translations-common-52.5.2-51.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-translations-other-52.5.2-51.1.x86_64",
                "product": {
                  "name": "MozillaThunderbird-translations-other-52.5.2-51.1.x86_64",
                  "product_id": "MozillaThunderbird-translations-other-52.5.2-51.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 12",
                "product": {
                  "name": "SUSE Package Hub 12",
                  "product_id": "SUSE Package Hub 12",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:packagehub:12"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-52.5.2-51.1.x86_64 as component of SUSE Package Hub 12",
          "product_id": "SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1.x86_64"
        },
        "product_reference": "MozillaThunderbird-52.5.2-51.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64 as component of SUSE Package Hub 12",
          "product_id": "SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64"
        },
        "product_reference": "MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-devel-52.5.2-51.1.x86_64 as component of SUSE Package Hub 12",
          "product_id": "SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1.x86_64"
        },
        "product_reference": "MozillaThunderbird-devel-52.5.2-51.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-translations-common-52.5.2-51.1.x86_64 as component of SUSE Package Hub 12",
          "product_id": "SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1.x86_64"
        },
        "product_reference": "MozillaThunderbird-translations-common-52.5.2-51.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-translations-other-52.5.2-51.1.x86_64 as component of SUSE Package Hub 12",
          "product_id": "SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1.x86_64"
        },
        "product_reference": "MozillaThunderbird-translations-other-52.5.2-51.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 12"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-7829",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2017-7829"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "It is possible to spoof the sender\u0027s email address and display an arbitrary sender address to the email recipient. The real sender\u0027s address is not displayed if preceded by a null character in the display string. This vulnerability affects Thunderbird \u003c 52.5.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2017-7829",
          "url": "https://www.suse.com/security/cve/CVE-2017-7829"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1071236 for CVE-2017-7829",
          "url": "https://bugzilla.suse.com/1071236"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1074046 for CVE-2017-7829",
          "url": "https://bugzilla.suse.com/1074046"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2017-12-24T22:29:25Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2017-7829"
    },
    {
      "cve": "CVE-2017-7846",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2017-7846"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via \"View -\u003e Feed article -\u003e Website\" or in the standard format of \"View -\u003e Feed article -\u003e default format\". This vulnerability affects Thunderbird \u003c 52.5.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2017-7846",
          "url": "https://www.suse.com/security/cve/CVE-2017-7846"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1074043 for CVE-2017-7846",
          "url": "https://bugzilla.suse.com/1074043"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2017-12-24T22:29:25Z",
          "details": "important"
        }
      ],
      "title": "CVE-2017-7846"
    },
    {
      "cve": "CVE-2017-7847",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2017-7847"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird \u003c 52.5.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2017-7847",
          "url": "https://www.suse.com/security/cve/CVE-2017-7847"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1074044 for CVE-2017-7847",
          "url": "https://bugzilla.suse.com/1074044"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2017-12-24T22:29:25Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2017-7847"
    },
    {
      "cve": "CVE-2017-7848",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2017-7848"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "RSS fields can inject new lines into the created email structure, modifying the message body. This vulnerability affects Thunderbird \u003c 52.5.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1.x86_64",
          "SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2017-7848",
          "url": "https://www.suse.com/security/cve/CVE-2017-7848"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1074045 for CVE-2017-7848",
          "url": "https://bugzilla.suse.com/1074045"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1.x86_64",
            "SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2017-12-24T22:29:25Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2017-7848"
    }
  ]
}

CVE-2017-7846 (GCVE-0-2017-7846)

Vulnerability from cvelistv5 – Published: 2018-06-11 21:00 – Updated: 2024-08-05 16:19

Summary

It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via "View -> Feed article -> Website" or in the standard format of "View -> Feed article -> default format". This vulnerability affects Thunderbird < 52.5.2.

Severity ?

No CVSS data available.

CWE

JavaScript Execution via RSS in mailbox:// origin

Assigner

mozilla

References

URL

Tags

	https://lists.debian.org/debian-lts-announce/2017…	mailing-listx_refsource_MLIST
	https://bugzilla.mozilla.org/show_bug.cgi?id=1411716	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/102258	vdb-entryx_refsource_BID
	http://www.securitytracker.com/id/1040123	vdb-entryx_refsource_SECTRACK
	https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM
	https://www.debian.org/security/2017/dsa-4075	vendor-advisoryx_refsource_DEBIAN
	https://access.redhat.com/errata/RHSA-2018:0061	vendor-advisoryx_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	Mozilla	Thunderbird	Affected: unspecified , < 52.5.2 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:19:29.313Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[debian-lts-announce] 20171227 [SECURITY] [DLA 1223-1] thunderbird security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1411716"
          },
          {
            "name": "102258",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/102258"
          },
          {
            "name": "1040123",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1040123"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2017-30/"
          },
          {
            "name": "DSA-4075",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2017/dsa-4075"
          },
          {
            "name": "RHSA-2018:0061",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0061"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "52.5.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2017-12-22T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via \"View -\u003e Feed article -\u003e Website\" or in the standard format of \"View -\u003e Feed article -\u003e default format\". This vulnerability affects Thunderbird \u003c 52.5.2."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "JavaScript Execution via RSS in mailbox:// origin",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-12T09:57:01",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "name": "[debian-lts-announce] 20171227 [SECURITY] [DLA 1223-1] thunderbird security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1411716"
        },
        {
          "name": "102258",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/102258"
        },
        {
          "name": "1040123",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1040123"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2017-30/"
        },
        {
          "name": "DSA-4075",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2017/dsa-4075"
        },
        {
          "name": "RHSA-2018:0061",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0061"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2017-7846",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Thunderbird",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "52.5.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via \"View -\u003e Feed article -\u003e Website\" or in the standard format of \"View -\u003e Feed article -\u003e default format\". This vulnerability affects Thunderbird \u003c 52.5.2."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "JavaScript Execution via RSS in mailbox:// origin"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[debian-lts-announce] 20171227 [SECURITY] [DLA 1223-1] thunderbird security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html"
            },
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1411716",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1411716"
            },
            {
              "name": "102258",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/102258"
            },
            {
              "name": "1040123",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1040123"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2017-30/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2017-30/"
            },
            {
              "name": "DSA-4075",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2017/dsa-4075"
            },
            {
              "name": "RHSA-2018:0061",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0061"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2017-7846",
    "datePublished": "2018-06-11T21:00:00",
    "dateReserved": "2017-04-12T00:00:00",
    "dateUpdated": "2024-08-05T16:19:29.313Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-7829 (GCVE-0-2017-7829)

Vulnerability from cvelistv5 – Published: 2018-06-11 21:00 – Updated: 2024-08-05 16:19

Summary

It is possible to spoof the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string. This vulnerability affects Thunderbird < 52.5.2.

Severity ?

No CVSS data available.

CWE

Mailsploit part 1: From address with encoded null character is cut off in message header display

Assigner

mozilla

References

URL

Tags

	https://lists.debian.org/debian-lts-announce/2017…	mailing-listx_refsource_MLIST
	https://usn.ubuntu.com/3529-1/	vendor-advisoryx_refsource_UBUNTU
	https://bugzilla.mozilla.org/show_bug.cgi?id=1423432	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/102258	vdb-entryx_refsource_BID
	http://www.securitytracker.com/id/1040123	vdb-entryx_refsource_SECTRACK
	https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM
	https://www.debian.org/security/2017/dsa-4075	vendor-advisoryx_refsource_DEBIAN
	https://access.redhat.com/errata/RHSA-2018:0061	vendor-advisoryx_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	Mozilla	Thunderbird	Affected: unspecified , < 52.5.2 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:19:27.675Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[debian-lts-announce] 20171227 [SECURITY] [DLA 1223-1] thunderbird security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html"
          },
          {
            "name": "USN-3529-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3529-1/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1423432"
          },
          {
            "name": "102258",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/102258"
          },
          {
            "name": "1040123",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1040123"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2017-30/"
          },
          {
            "name": "DSA-4075",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2017/dsa-4075"
          },
          {
            "name": "RHSA-2018:0061",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0061"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "52.5.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2017-12-22T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "It is possible to spoof the sender\u0027s email address and display an arbitrary sender address to the email recipient. The real sender\u0027s address is not displayed if preceded by a null character in the display string. This vulnerability affects Thunderbird \u003c 52.5.2."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Mailsploit part 1: From address with encoded null character is cut off in message header display",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-12T09:57:01",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "name": "[debian-lts-announce] 20171227 [SECURITY] [DLA 1223-1] thunderbird security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html"
        },
        {
          "name": "USN-3529-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3529-1/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1423432"
        },
        {
          "name": "102258",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/102258"
        },
        {
          "name": "1040123",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1040123"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2017-30/"
        },
        {
          "name": "DSA-4075",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2017/dsa-4075"
        },
        {
          "name": "RHSA-2018:0061",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0061"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2017-7829",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Thunderbird",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "52.5.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It is possible to spoof the sender\u0027s email address and display an arbitrary sender address to the email recipient. The real sender\u0027s address is not displayed if preceded by a null character in the display string. This vulnerability affects Thunderbird \u003c 52.5.2."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Mailsploit part 1: From address with encoded null character is cut off in message header display"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[debian-lts-announce] 20171227 [SECURITY] [DLA 1223-1] thunderbird security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html"
            },
            {
              "name": "USN-3529-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3529-1/"
            },
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1423432",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1423432"
            },
            {
              "name": "102258",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/102258"
            },
            {
              "name": "1040123",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1040123"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2017-30/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2017-30/"
            },
            {
              "name": "DSA-4075",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2017/dsa-4075"
            },
            {
              "name": "RHSA-2018:0061",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0061"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2017-7829",
    "datePublished": "2018-06-11T21:00:00",
    "dateReserved": "2017-04-12T00:00:00",
    "dateUpdated": "2024-08-05T16:19:27.675Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-7847 (GCVE-0-2017-7847)

Vulnerability from cvelistv5 – Published: 2018-06-11 21:00 – Updated: 2024-08-05 16:19

Summary

Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird < 52.5.2.

Severity ?

No CVSS data available.

CWE

Local path string can be leaked from RSS feed

Assigner

mozilla

References

URL

Tags

	https://lists.debian.org/debian-lts-announce/2017…	mailing-listx_refsource_MLIST
	https://bugzilla.mozilla.org/show_bug.cgi?id=1411708	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/102258	vdb-entryx_refsource_BID
	http://www.securitytracker.com/id/1040123	vdb-entryx_refsource_SECTRACK
	https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM
	https://www.debian.org/security/2017/dsa-4075	vendor-advisoryx_refsource_DEBIAN
	https://access.redhat.com/errata/RHSA-2018:0061	vendor-advisoryx_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	Mozilla	Thunderbird	Affected: unspecified , < 52.5.2 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:19:28.357Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[debian-lts-announce] 20171227 [SECURITY] [DLA 1223-1] thunderbird security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1411708"
          },
          {
            "name": "102258",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/102258"
          },
          {
            "name": "1040123",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1040123"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2017-30/"
          },
          {
            "name": "DSA-4075",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2017/dsa-4075"
          },
          {
            "name": "RHSA-2018:0061",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0061"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "52.5.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2017-12-22T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird \u003c 52.5.2."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Local path string can be leaked from RSS feed",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-12T09:57:01",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "name": "[debian-lts-announce] 20171227 [SECURITY] [DLA 1223-1] thunderbird security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1411708"
        },
        {
          "name": "102258",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/102258"
        },
        {
          "name": "1040123",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1040123"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2017-30/"
        },
        {
          "name": "DSA-4075",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2017/dsa-4075"
        },
        {
          "name": "RHSA-2018:0061",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0061"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2017-7847",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Thunderbird",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "52.5.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird \u003c 52.5.2."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Local path string can be leaked from RSS feed"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[debian-lts-announce] 20171227 [SECURITY] [DLA 1223-1] thunderbird security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html"
            },
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1411708",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1411708"
            },
            {
              "name": "102258",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/102258"
            },
            {
              "name": "1040123",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1040123"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2017-30/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2017-30/"
            },
            {
              "name": "DSA-4075",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2017/dsa-4075"
            },
            {
              "name": "RHSA-2018:0061",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0061"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2017-7847",
    "datePublished": "2018-06-11T21:00:00",
    "dateReserved": "2017-04-12T00:00:00",
    "dateUpdated": "2024-08-05T16:19:28.357Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-7848 (GCVE-0-2017-7848)

Vulnerability from cvelistv5 – Published: 2018-06-11 21:00 – Updated: 2024-08-05 16:19

Summary

RSS fields can inject new lines into the created email structure, modifying the message body. This vulnerability affects Thunderbird < 52.5.2.

Severity ?

No CVSS data available.

CWE

RSS Feed vulnerable to new line Injection

Assigner

mozilla

References

URL

Tags

	https://lists.debian.org/debian-lts-announce/2017…	mailing-listx_refsource_MLIST
	https://bugzilla.mozilla.org/show_bug.cgi?id=1411699	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/102258	vdb-entryx_refsource_BID
	http://www.securitytracker.com/id/1040123	vdb-entryx_refsource_SECTRACK
	https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM
	https://www.debian.org/security/2017/dsa-4075	vendor-advisoryx_refsource_DEBIAN
	https://access.redhat.com/errata/RHSA-2018:0061	vendor-advisoryx_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	Mozilla	Thunderbird	Affected: unspecified , < 52.5.2 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:19:28.340Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[debian-lts-announce] 20171227 [SECURITY] [DLA 1223-1] thunderbird security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1411699"
          },
          {
            "name": "102258",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/102258"
          },
          {
            "name": "1040123",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1040123"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2017-30/"
          },
          {
            "name": "DSA-4075",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2017/dsa-4075"
          },
          {
            "name": "RHSA-2018:0061",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0061"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "52.5.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2017-12-22T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "RSS fields can inject new lines into the created email structure, modifying the message body. This vulnerability affects Thunderbird \u003c 52.5.2."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "RSS Feed vulnerable to new line Injection",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-12T09:57:01",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "name": "[debian-lts-announce] 20171227 [SECURITY] [DLA 1223-1] thunderbird security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1411699"
        },
        {
          "name": "102258",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/102258"
        },
        {
          "name": "1040123",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1040123"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2017-30/"
        },
        {
          "name": "DSA-4075",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2017/dsa-4075"
        },
        {
          "name": "RHSA-2018:0061",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0061"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2017-7848",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Thunderbird",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "52.5.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "RSS fields can inject new lines into the created email structure, modifying the message body. This vulnerability affects Thunderbird \u003c 52.5.2."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "RSS Feed vulnerable to new line Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[debian-lts-announce] 20171227 [SECURITY] [DLA 1223-1] thunderbird security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html"
            },
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1411699",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1411699"
            },
            {
              "name": "102258",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/102258"
            },
            {
              "name": "1040123",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1040123"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2017-30/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2017-30/"
            },
            {
              "name": "DSA-4075",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2017/dsa-4075"
            },
            {
              "name": "RHSA-2018:0061",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0061"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2017-7848",
    "datePublished": "2018-06-11T21:00:00",
    "dateReserved": "2017-04-12T00:00:00",
    "dateUpdated": "2024-08-05T16:19:28.340Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2017:3434-1

CVE-2017-7846 (GCVE-0-2017-7846)

CVE-2017-7829 (GCVE-0-2017-7829)

CVE-2017-7847 (GCVE-0-2017-7847)

CVE-2017-7848 (GCVE-0-2017-7848)

Tags

Sightings

Nomenclature