{"id":"USN-6333-1","summary":"thunderbird vulnerabilities","details":"Junsung Lee discovered that Thunderbird did not properly validate the text\ndirection override unicode character in filenames. An attacker could\npotentially exploits this issue by spoofing file extension while attaching\na file in emails. (CVE-2023-3417)\n\nMax Vlasov discovered that Thunderbird Offscreen Canvas did not properly\ntrack cross-origin tainting. An attacker could potentially exploit this\nissue to access image data from another site in violation of same-origin\npolicy. (CVE-2023-4045)\n\nAlexander Guryanov discovered that Thunderbird did not properly update the\nvalue of a global variable in WASM JIT analysis in some circumstances. An\nattacker could potentially exploit this issue to cause a denial of service.\n(CVE-2023-4046)\n\nMark Brand discovered that Thunderbird did not properly validate the size\nof an untrusted input stream. An attacker could potentially exploit this\nissue to cause a denial of service. (CVE-2023-4050)\n\nMultiple security issues were discovered in Thunderbird. If a user were\ntricked into opening a specially crafted website in a browsing context, an\nattacker could potentially exploit these to cause a denial of service,\nobtain sensitive information, bypass security restrictions, cross-site\ntracing, or execute arbitrary code. (CVE-2023-4047, CVE-2023-4048,\nCVE-2023-4049, CVE-2023-4055, CVE-2023-4056)\n","modified":"2026-02-10T04:43:17Z","published":"2023-09-04T04:07:45Z","related":["UBUNTU-CVE-2023-3417","UBUNTU-CVE-2023-4045","UBUNTU-CVE-2023-4046","UBUNTU-CVE-2023-4047","UBUNTU-CVE-2023-4048","UBUNTU-CVE-2023-4049","UBUNTU-CVE-2023-4050","UBUNTU-CVE-2023-4055","UBUNTU-CVE-2023-4056"],"upstream":["CVE-2023-3417","CVE-2023-4045","CVE-2023-4046","CVE-2023-4047","CVE-2023-4048","CVE-2023-4049","CVE-2023-4050","CVE-2023-4055","CVE-2023-4056","UBUNTU-CVE-2023-3417","UBUNTU-CVE-2023-4045","UBUNTU-CVE-2023-4046","UBUNTU-CVE-2023-4047","UBUNTU-CVE-2023-4048","UBUNTU-CVE-2023-4049","UBUNTU-CVE-2023-4050","UBUNTU-CVE-2023-4055","UBUNTU-CVE-2023-4056"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-6333-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-3417"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-4045"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-4046"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-4047"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-4048"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-4049"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-4050"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-4055"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-4056"}],"affected":[{"package":{"name":"thunderbird","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/thunderbird@1:102.15.0+build1-0ubuntu0.20.04.1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:102.15.0+build1-0ubuntu0.20.04.1"}]}],"versions":["1:68.1.2+build1-0ubuntu1","1:68.1.2+build1-0ubuntu2","1:68.2.1+build1-0ubuntu1","1:68.2.2+build1-0ubuntu1","1:68.3.0+build2-0ubuntu1","1:68.3.1+build1-0ubuntu2","1:68.4.1+build1-0ubuntu1","1:68.4.2+build2-0ubuntu1","1:68.5.0+build1-0ubuntu1","1:68.6.0+build2-0ubuntu1","1:68.7.0+build1-0ubuntu1","1:68.7.0+build1-0ubuntu2","1:68.8.0+build2-0ubuntu0.20.04.2","1:68.10.0+build1-0ubuntu0.20.04.1","1:78.7.1+build1-0ubuntu0.20.04.1","1:78.8.1+build1-0ubuntu0.20.04.1","1:78.11.0+build1-0ubuntu0.20.04.2","1:78.13.0+build1-0ubuntu0.20.04.2","1:78.14.0+build1-0ubuntu0.20.04.1","1:78.14.0+build1-0ubuntu0.20.04.2","1:91.5.0+build1-0ubuntu0.20.04.1","1:91.7.0+build2-0ubuntu0.20.04.1","1:91.8.1+build1-0ubuntu0.20.04.1","1:91.9.1+build1-0ubuntu0.20.04.1","1:91.11.0+build2-0ubuntu0.20.04.1","1:102.2.2+build1-0ubuntu0.20.04.1","1:102.4.2+build2-0ubuntu0.20.04.1","1:102.7.1+build2-0ubuntu0.20.04.1","1:102.8.0+build2-0ubuntu0.20.04.1","1:102.9.0+build1-0ubuntu0.20.04.1","1:102.10.0+build2-0ubuntu0.20.04.1","1:102.11.0+build1-0ubuntu0.20.04.1","1:102.13.0+build1-0ubuntu0.20.04.1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:102.15.0+build1-0ubuntu0.20.04.1","binary_name":"thunderbird"},{"binary_version":"1:102.15.0+build1-0ubuntu0.20.04.1","binary_name":"thunderbird-dev"},{"binary_version":"1:102.15.0+build1-0ubuntu0.20.04.1","binary_name":"thunderbird-gnome-support"},{"binary_version":"1:102.15.0+build1-0ubuntu0.20.04.1","binary_name":"thunderbird-mozsymbols"},{"binary_version":"1:102.15.0+build1-0ubuntu0.20.04.1","binary_name":"xul-ext-calendar-timezones"},{"binary_version":"1:102.15.0+build1-0ubuntu0.20.04.1","binary_name":"xul-ext-gdata-provider"},{"binary_version":"1:102.15.0+build1-0ubuntu0.20.04.1","binary_name":"xul-ext-lightning"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:20.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-3417"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4045"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4046"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4047"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4048"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4049"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4050"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4055"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4056"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6333-1.json"}},{"package":{"name":"thunderbird","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/thunderbird@1:102.15.0+build1-0ubuntu0.22.04.1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:102.15.0+build1-0ubuntu0.22.04.1"}]}],"versions":["1:91.1.2+build1-0ubuntu1","1:91.3.0+build2-0ubuntu1","1:91.3.1+build1-0ubuntu1","1:91.3.2+build1-0ubuntu1","1:91.4.0+build1.1-0ubuntu1","1:91.4.0+build2-0ubuntu1","1:91.5.0+build1-0ubuntu1","1:91.5.1+build1-0ubuntu1","1:91.6.1+build1-0ubuntu1","1:91.7.0+build1-0ubuntu1","1:91.7.0+build2-0ubuntu1","1:91.8.0+build2-0ubuntu1","1:91.9.1+build1-0ubuntu0.22.04.1","1:91.11.0+build2-0ubuntu0.22.04.1","1:102.2.2+build1-0ubuntu0.22.04.1","1:102.4.2+build2-0ubuntu0.22.04.1","1:102.7.1+build2-0ubuntu0.22.04.1","1:102.8.0+build2-0ubuntu0.22.04.1","1:102.9.0+build1-0ubuntu0.22.04.1","1:102.10.0+build2-0ubuntu0.22.04.1","1:102.11.0+build1-0ubuntu0.22.04.1","1:102.13.0+build1-0ubuntu0.22.04.1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:102.15.0+build1-0ubuntu0.22.04.1","binary_name":"thunderbird"},{"binary_version":"1:102.15.0+build1-0ubuntu0.22.04.1","binary_name":"thunderbird-dev"},{"binary_version":"1:102.15.0+build1-0ubuntu0.22.04.1","binary_name":"thunderbird-gnome-support"},{"binary_version":"1:102.15.0+build1-0ubuntu0.22.04.1","binary_name":"thunderbird-mozsymbols"},{"binary_version":"1:102.15.0+build1-0ubuntu0.22.04.1","binary_name":"xul-ext-calendar-timezones"},{"binary_version":"1:102.15.0+build1-0ubuntu0.22.04.1","binary_name":"xul-ext-gdata-provider"},{"binary_version":"1:102.15.0+build1-0ubuntu0.22.04.1","binary_name":"xul-ext-lightning"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:22.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-3417"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4045"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4046"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4047"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4048"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4049"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4050"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4055"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-4056"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6333-1.json"}}],"schema_version":"1.7.3"}