CVE-2023-0616Uncontrolled Resource Consumption in Mozilla Thunderbird

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or ThrottlingCWE-449The UI Performs the Wrong Action8 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 70.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla ThunderbirdDebian ThunderbirdMozilla Firefox
Timeline
PublishedJun 2

Description

If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderbird repeatedly attempts to process and display the message, which could cause Thunderbird's user interface to lock up and no longer respond to the user's actions. An attacker could send a crafted message with this structure to attempt a DoS attack. This vulnerability affects Thunderbird < 102.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

debiandebian/thunderbird< thunderbird 1:102.8.0-1 (bookworm)
CVEListV5mozilla/thunderbirdunspecified102.8
NVDmozilla/thunderbird< 102.8
Debianmozilla/thunderbird< 1:102.8.0-1~deb11u1+3
Ubuntumozilla/thunderbird< 1:102.8.0+build2-0ubuntu0.18.04.1+2

🔴Vulnerability Details

3
GHSA
GHSA-w7wv-wm72-g6pr: If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderbird repeatedly attempts to process and display the message, which coul2023-06-02
OSV
CVE-2023-0616: If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderbird repeatedly attempts to process and display the message, which coul2023-06-02
OSV
thunderbird vulnerabilities2023-03-13

📋Vendor Advisories

4
Ubuntu
Thunderbird vulnerabilities2023-03-13
Red Hat
Mozilla: User Interface lockup with messages combining S/MIME and OpenPGP2023-02-14
Debian
CVE-2023-0616: thunderbird - If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderb...2023
Mozilla
Mozilla Foundation Security Advisory 2023-07: CVE-2023-0616
CVE-2023-0616 — Uncontrolled Resource Consumption | cvebase