CVE-2022-45414 Affecting thunderbird package, versions <0:102.6.0-2.0.1.el7_9


Severity

Recommended
0.0
high
0
10

Based on Oracle Linux security rating.

Threat Intelligence

EPSS
0.16% (54th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ORACLE7-THUNDERBIRD-3174366
  • published16 Dec 2022
  • disclosed22 Dec 2022

Introduced: 16 Dec 2022

CVE-2022-45414  (opens in a new tab)

How to fix?

Upgrade Oracle:7 thunderbird to version 0:102.6.0-2.0.1.el7_9 or higher.
This issue was patched in ELSA-2022-9079-1.

NVD Description

Note: Versions mentioned in the description apply only to the upstream thunderbird package and not the thunderbird package as distributed by Oracle. See How to fix? for Oracle:7 relevant fixed versions and status.

If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. An image loaded from the POSTER attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targetting releases that did not yet have a fix for CVE-2022-3033 which was reported around three months ago. This vulnerability affects Thunderbird < 102.5.1.

CVSS Scores

version 3.1