{
  "threat_severity" : "Important",
  "public_date" : "2024-03-04T00:00:00Z",
  "bugzilla" : {
    "description" : "Mozilla: Leaking of encrypted email subjects to other conversations",
    "id" : "2268171",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2268171"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-311",
  "details" : [ "The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third-party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects Thunderbird < 115.8.1.", "A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows: The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments." ],
  "statement" : "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.",
  "acknowledgement" : "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Several community reporters as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2024-03-25T00:00:00Z",
    "advisory" : "RHSA-2024:1498",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "thunderbird-0:115.9.0-1.el7_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-03-25T00:00:00Z",
    "advisory" : "RHSA-2024:1494",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "thunderbird-0:115.9.0-1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2024-03-25T00:00:00Z",
    "advisory" : "RHSA-2024:1500",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.2",
    "package" : "thunderbird-0:115.9.0-1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Telecommunications Update Service",
    "release_date" : "2024-03-25T00:00:00Z",
    "advisory" : "RHSA-2024:1500",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.2",
    "package" : "thunderbird-0:115.9.0-1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions",
    "release_date" : "2024-03-25T00:00:00Z",
    "advisory" : "RHSA-2024:1500",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.2",
    "package" : "thunderbird-0:115.9.0-1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2024-03-25T00:00:00Z",
    "advisory" : "RHSA-2024:1499",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.4",
    "package" : "thunderbird-0:115.9.0-1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
    "release_date" : "2024-03-25T00:00:00Z",
    "advisory" : "RHSA-2024:1499",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.4",
    "package" : "thunderbird-0:115.9.0-1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions",
    "release_date" : "2024-03-25T00:00:00Z",
    "advisory" : "RHSA-2024:1499",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.4",
    "package" : "thunderbird-0:115.9.0-1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2024-03-25T00:00:00Z",
    "advisory" : "RHSA-2024:1497",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.6",
    "package" : "thunderbird-0:115.9.0-1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-03-25T00:00:00Z",
    "advisory" : "RHSA-2024:1496",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.8",
    "package" : "thunderbird-0:115.9.0-1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-03-25T00:00:00Z",
    "advisory" : "RHSA-2024:1493",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "thunderbird-0:115.9.0-1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support",
    "release_date" : "2024-03-25T00:00:00Z",
    "advisory" : "RHSA-2024:1495",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.0",
    "package" : "thunderbird-0:115.9.0-1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-03-25T00:00:00Z",
    "advisory" : "RHSA-2024:1492",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "thunderbird-0:115.9.0-1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-1936\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-1936\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2024-11/#CVE-2024-1936" ],
  "name" : "CVE-2024-1936",
  "csaw" : false
}