The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third-party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects Thunderbird < 115.8.1.
References
Link | Resource |
---|---|
https://bugzilla.mozilla.org/show_bug.cgi?id=1860977 | Issue Tracking Exploit Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html | Mailing List |
https://www.mozilla.org/security/advisories/mfsa2024-11/ | Vendor Advisory |
https://bugzilla.mozilla.org/show_bug.cgi?id=1860977 | Issue Tracking Exploit Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html | Mailing List |
https://www.mozilla.org/security/advisories/mfsa2024-11/ | Vendor Advisory |
Configurations
History
30 Jun 2025, 12:12
Type | Values Removed | Values Added |
---|---|---|
References | () https://bugzilla.mozilla.org/show_bug.cgi?id=1860977 - Issue Tracking, Exploit, Vendor Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html - Mailing List | |
References | () https://www.mozilla.org/security/advisories/mfsa2024-11/ - Vendor Advisory | |
CPE | cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
|
First Time |
Debian
Mozilla Debian debian Linux Mozilla thunderbird |
26 Nov 2024, 14:15
Type | Values Removed | Values Added |
---|---|---|
Summary | (en) The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third-party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects Thunderbird < 115.8.1. |
21 Nov 2024, 08:51
Type | Values Removed | Values Added |
---|---|---|
References | () https://bugzilla.mozilla.org/show_bug.cgi?id=1860977 - | |
References | () https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html - | |
References | () https://www.mozilla.org/security/advisories/mfsa2024-11/ - |
08 Aug 2024, 21:35
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CWE | CWE-922 |
23 Mar 2024, 12:15
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
References |
|
04 Mar 2024, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-03-04 22:15
Updated : 2025-06-30 12:12
NVD link : CVE-2024-1936
Mitre link : CVE-2024-1936
CVE.ORG link : CVE-2024-1936
JSON object : View
Products Affected
debian
- debian_linux
mozilla
- thunderbird
CWE
CWE-922
Insecure Storage of Sensitive Information