Bug 2123256 (CVE-2022-3033)
| Summary: | CVE-2022-3033 Mozilla: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | erack, jhorak, nobody, redhat, stransky, tpopela |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | thunderbird 91.13.1, thunderbird 102.2.1 | Doc Type: | --- |
| Doc Text: |
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of a Thunderbird user replying to a crafted HTML email containing a `meta` tag, with the `meta` tag having the `http-equiv="refresh"` attribute and the content attribute specifying an URL. Thunderbird started a network request to that URL, regardless of the configuration, to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, reading and modifying the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text.'
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-28 06:27:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2123264, 2123265, 2123266, 2123267, 2123268, 2123269, 2123270, 2123271, 2123272 | ||
| Bug Blocks: | 2123245 | ||
|
Description
Mauro Matteo Cascella
2022-09-01 09:09:30 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:6713 https://access.redhat.com/errata/RHSA-2022:6713 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:6710 https://access.redhat.com/errata/RHSA-2022:6710 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6708 https://access.redhat.com/errata/RHSA-2022:6708 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:6716 https://access.redhat.com/errata/RHSA-2022:6716 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:6715 https://access.redhat.com/errata/RHSA-2022:6715 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6717 https://access.redhat.com/errata/RHSA-2022:6717 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-3033 |