cbcvebase.
CVE-2019-11703
published 2019-07-23

CVE-2019-11703: A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in parser_get_next_char when processing certain email messages, resulting in a…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.53%
95.2th percentile
A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in parser_get_next_char when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianthunderbird< thunderbird 1:60.7.1-1 (bookworm)thunderbird 1:60.7.1-1 (bookworm)
mozillathunderbird< 60.7.160.7.1
mozillathunderbird>= 0 < 1:60.7.1-11:60.7.1-1
mozillathunderbird>= 0 < 1:60.7.1-11:60.7.1-1
mozillathunderbird>= 0 < 1:60.7.1-11:60.7.1-1
mozillathunderbird>= 0 < 1:60.7.1-11:60.7.1-1
mozillathunderbird>= unspecified < 60.7.160.7.1

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/x41sec/advisories/tree/master/X41-2019-002
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47003.zip
pathicalparser.c
  • Monitor for incoming email messages containing iCal/calendar attachments (.ics files) sent to Thunderbird clients versions prior to 60.7.1, which may trigger heap buffer overflow in parser_get_next_char() within icalparser.c.
  • Alert on Thunderbird process crashes (potentially exploitable) when processing calendar attachments, as the vulnerability manifests initially as an out-of-bounds read that may progress to out-of-bounds write.
  • Vector is network-delivered via incoming mail with calendar attachment — inspect SMTP/IMAP traffic for .ics attachments with malformed or unusually crafted string content targeting Thunderbird < 60.7.1.
  • ·Thunderbird can be configured to use the JavaScript-based icaljs parser instead of the vulnerable libical C library, fully mitigating this vulnerability without patching.
  • ·The vulnerable code originates from a fork of upstream libical version 0.47; the upstream fix was committed pre-v2.0.0 (2015-08-11) but was never backported into Thunderbird's bundled copy until the 60.7.1 patch.
  • ·No pointer-based writes are possible directly from parser_get_next_char; the overflow is a heap over-read, though RCE via further exploitation cannot be ruled out.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.