CVE-2019-11739Cleartext Transmission of Sensitive Info in Mozilla Thunderbird

CWE-319Cleartext Transmission of Sensitive InfoCWE-356Product UI does not Warn User of Unsafe Actions8 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 49.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla ThunderbirdDebian Thunderbird
Timeline
PublishedSep 27
Latest updateMay 24

Description

Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a HTML reply/forward. This vulnerability affects Thunderbird < 68.1 and Thunderbird < 60.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

debiandebian/thunderbird< thunderbird 1:60.9.0-1 (bookworm)
CVEListV5mozilla/thunderbirdunspecified68.1+1
NVDmozilla/thunderbird68.068.1.0+1
Debianmozilla/thunderbird< 1:60.9.0-1+3
Ubuntumozilla/thunderbird< 1:60.9.0+build1-0ubuntu0.16.04.2+1

🔴Vulnerability Details

3
GHSA
GHSA-c6f3-q26v-xmx7: Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a HTML reply/forward2022-05-24
OSV
thunderbird vulnerabilities2019-10-08
OSV
CVE-2019-11739: Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a HTML reply/forward2019-09-27

📋Vendor Advisories

3
Ubuntu
Thunderbird vulnerabilities2019-10-08
Red Hat
Mozilla: Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message2019-09-15
Debian
CVE-2019-11739: thunderbird - Encrypted S/MIME parts in a crafted multipart/alternative message can leak plain...2019

💬Community

1
Bugzilla
CVE-2019-11739 Mozilla: Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message2019-09-15