Bug 2123255 (CVE-2022-3032) - CVE-2022-3032 Mozilla: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked
Summary: CVE-2022-3032 Mozilla: Remote content specified in an HTML document that was ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-3032
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2123264 2123265 2123266 2123267 2123268 2123269 2123270 2123271 2123272
Blocks: 2123245
TreeView+ depends on / blocked
 
Reported: 2022-09-01 09:09 UTC by Mauro Matteo Cascella
Modified: 2022-11-28 06:15 UTC (History)
5 users (show)

Fixed In Version: thunderbird 91.13.1, thunderbird 102.2.1
Doc Type: ---
Doc Text:
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of when receiving an HTML email that contained an `iframe` element, which used a `srcdoc` attribute to define the internal HTML document, remote objects specified in the nested document (for example, images or videos), were not blocked. Rather, the network was accessed, and the objects were loaded and displayed.
Clone Of:
Environment:
Last Closed: 2022-11-28 06:15:08 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6708 0 None None None 2022-09-26 15:33:46 UTC
Red Hat Product Errata RHSA-2022:6710 0 None None None 2022-09-26 15:11:50 UTC
Red Hat Product Errata RHSA-2022:6713 0 None None None 2022-09-26 14:56:22 UTC
Red Hat Product Errata RHSA-2022:6715 0 None None None 2022-09-26 15:54:37 UTC
Red Hat Product Errata RHSA-2022:6716 0 None None None 2022-09-26 15:39:04 UTC
Red Hat Product Errata RHSA-2022:6717 0 None None None 2022-09-26 16:48:48 UTC

Description Mauro Matteo Cascella 2022-09-01 09:09:10 UTC 
When receiving an HTML email that contained an `iframe` element, which used a `srcdoc` attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed.

External References:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-38/#CVE-2022-3032
https://www.mozilla.org/en-US/security/advisories/mfsa2022-39/#CVE-2022-3032
Comment 2 errata-xmlrpc 2022-09-26 14:56:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6713 https://access.redhat.com/errata/RHSA-2022:6713
Comment 3 errata-xmlrpc 2022-09-26 15:11:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:6710 https://access.redhat.com/errata/RHSA-2022:6710
Comment 4 errata-xmlrpc 2022-09-26 15:33:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6708 https://access.redhat.com/errata/RHSA-2022:6708
Comment 5 errata-xmlrpc 2022-09-26 15:39:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:6716 https://access.redhat.com/errata/RHSA-2022:6716
Comment 6 errata-xmlrpc 2022-09-26 15:54:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:6715 https://access.redhat.com/errata/RHSA-2022:6715
Comment 7 errata-xmlrpc 2022-09-26 16:48:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6717 https://access.redhat.com/errata/RHSA-2022:6717
Comment 8 Product Security DevOps Team 2022-11-28 06:15:06 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3032
Note You need to log in before you can comment on or make changes to this bug.