Bug 2149868 (CVE-2022-45414)
| Summary: | CVE-2022-45414 Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | erack, jhorak, nobody, stransky, tpopela |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | thunderbird 102.5.1 | Doc Type: | --- |
| Doc Text: |
The Mozilla Foundation Security Advisory describes this flaw as:
If a Thunderbird user quoted from an HTML email and the email contained either a video tag with the poster attribute or an object tag with a data attribute, a network request to the referenced remote URL was performed regardless of a configuration to block remote content, and an image loaded from the poster attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targeting releases that did not yet have a fix for CVE-2022-3033.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-12-16 11:17:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2151176, 2151177, 2151178, 2151179, 2151180, 2151181, 2151182, 2151183, 2151184, 2151185, 2151186 | ||
| Bug Blocks: | 2149867 | ||
|
Description
Mauro Matteo Cascella
2022-12-01 09:10:08 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:9077 https://access.redhat.com/errata/RHSA-2022:9077 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:9075 https://access.redhat.com/errata/RHSA-2022:9075 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2022:9076 https://access.redhat.com/errata/RHSA-2022:9076 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:9080 https://access.redhat.com/errata/RHSA-2022:9080 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2022:9078 https://access.redhat.com/errata/RHSA-2022:9078 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2022:9081 https://access.redhat.com/errata/RHSA-2022:9081 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:9074 https://access.redhat.com/errata/RHSA-2022:9074 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:9079 https://access.redhat.com/errata/RHSA-2022:9079 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-45414 |