Using remote content in encrypted messages can lead to the disclosure of plaintext. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8.
Weakness
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Debian_linux | Debian | 7.0 (including) | 7.0 (including) |
| Debian_linux | Debian | 8.0 (including) | 8.0 (including) |
| Debian_linux | Debian | 9.0 (including) | 9.0 (including) |
| Red Hat Enterprise Linux 6 | RedHat | thunderbird-0:52.8.0-2.el6_9 | * |
| Red Hat Enterprise Linux 7 | RedHat | thunderbird-0:52.8.0-1.el7_5 | * |
| Thunderbird | Ubuntu | artful | * |
| Thunderbird | Ubuntu | bionic | * |
| Thunderbird | Ubuntu | devel | * |
| Thunderbird | Ubuntu | trusty | * |
| Thunderbird | Ubuntu | upstream | * |
| Thunderbird | Ubuntu | xenial | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/112.html
- https://cwe.mitre.org/data/definitions/192.html
- https://cwe.mitre.org/data/definitions/20.html
References
- http://www.securityfocus.com/bid/104240
- http://www.securitytracker.com/id/1040946
- https://access.redhat.com/errata/RHSA-2018:1725
- https://access.redhat.com/errata/RHSA-2018:1726
- https://bugzilla.mozilla.org/show_bug.cgi?id=1411592
- https://lists.debian.org/debian-lts-announce/2018/05/msg00013.html
- https://security.gentoo.org/glsa/201811-13
- https://usn.ubuntu.com/3660-1/
- https://www.debian.org/security/2018/dsa-4209
- https://www.mozilla.org/security/advisories/mfsa2018-13/
- http://www.securityfocus.com/bid/104240
- http://www.securitytracker.com/id/1040946
- https://access.redhat.com/errata/RHSA-2018:1725
- https://access.redhat.com/errata/RHSA-2018:1726
- https://bugzilla.mozilla.org/show_bug.cgi?id=1411592
- https://lists.debian.org/debian-lts-announce/2018/05/msg00013.html
- https://security.gentoo.org/glsa/201811-13
- https://usn.ubuntu.com/3660-1/
- https://www.debian.org/security/2018/dsa-4209
- https://www.mozilla.org/security/advisories/mfsa2018-13/