1. Home
  2. Security Advisories
  3. Mozilla
  4. MFSA-2022-36

[MFSA-2022-36] Security Vulnerabilities fixed in Thunderbird 102.2

Severity High
Affected Packages 1
Fixed Packages 1
CVEs 5
Info Packages References Vulnerabilities

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

  • CVE-2022-38472: Address bar spoofing via XSLT error handling (high)
    An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin.

  • CVE-2022-38473: Cross-origin XSLT Documents would have inherited the parent's permissions (high)
    A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access).

  • CVE-2022-38476: Data race and potential use-after-free in PK11_ChangePW (low)
    A data race could occur in the <code>PK11_ChangePW</code> function, potentially leading to a use-after-free vulnerability. In Thunderbird, this lock protected the data when a user changed their master password.

  • CVE-2022-38477: Memory safety bugs fixed in Thunderbird 102.2 (high)
    Mozilla developer Nika Layzell and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

  • CVE-2022-38478: Memory safety bugs fixed in Thunderbird 102.2, and Thunderbird 91.13 (high)
    Members the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.1 and Thunderbird 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

Package Affected Version
pkg:mozilla/Thunderbird < 102.2
Package Fixed Version
pkg:mozilla/Thunderbird = 102.2
ID
MFSA-2022-36
Severity
high
URL
https://www.mozilla.org/en-US/security/advisories/mfsa2022-36
Published
2022-08-23T00:00:00
(2 years ago)
Modified
2022-08-23T00:00:00
(2 years ago)
Other Advisories
Source # ID Name URL
Bugzilla 1769155 https://bugzilla.mozilla.org/show_bug.cgi?id=1769155
Bugzilla 1771685 https://bugzilla.mozilla.org/show_bug.cgi?id=1771685
Bugzilla 1760998 https://bugzilla.mozilla.org/show_bug.cgi?id=1760998
Bugzilla 1760611 Memory safety bugs fixed in Thunderbird 102.2 https://bugzilla.mozilla.org/show_bug.cgi?id=1760611
Bugzilla 1770219 Memory safety bugs fixed in Thunderbird 102.2 https://bugzilla.mozilla.org/show_bug.cgi?id=1770219
Bugzilla 1771159 Memory safety bugs fixed in Thunderbird 102.2 https://bugzilla.mozilla.org/show_bug.cgi?id=1771159
Bugzilla 1773363 Memory safety bugs fixed in Thunderbird 102.2 https://bugzilla.mozilla.org/show_bug.cgi?id=1773363
Bugzilla 1770630 Memory safety bugs fixed in Thunderbird 102.2, and Thunderbird 91.13 https://bugzilla.mozilla.org/show_bug.cgi?id=1770630
Bugzilla 1776658 Memory safety bugs fixed in Thunderbird 102.2, and Thunderbird 91.13 https://bugzilla.mozilla.org/show_bug.cgi?id=1776658
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:mozilla/Thunderbird Thunderbird < 102.2
Fixed pkg:mozilla/Thunderbird Thunderbird = 102.2
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date