2123256 – (CVE-2022-3033) CVE-2022-3033 Mozilla: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag

Bug 2123256 (CVE-2022-3033) - CVE-2022-3033 Mozilla: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag

Summary: CVE-2022-3033 Mozilla: Leaking of sensitive information when composing a resp...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-3033
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2123264 2123265 2123266 2123267 2123268 2123269 2123270 2123271 2123272
Blocks:	2123245
TreeView+	depends on / blocked

Reported:	2022-09-01 09:09 UTC by Mauro Matteo Cascella
Modified:	2022-11-28 06:27 UTC (History)
CC List:	6 users (show)
Fixed In Version:	thunderbird 91.13.1, thunderbird 102.2.1
Doc Type:	---
Doc Text:	A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of a Thunderbird user replying to a crafted HTML email containing a `meta` tag, with the `meta` tag having the `http-equiv="refresh"` attribute and the content attribute specifying an URL. Thunderbird started a network request to that URL, regardless of the configuration, to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, reading and modifying the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text.'
Clone Of:
Environment:
Last Closed:	2022-11-28 06:27:17 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:6708	None	None	None	2022-09-26 15:33:48 UTC
Red Hat Product Errata	RHSA-2022:6710	None	None	None	2022-09-26 15:11:51 UTC
Red Hat Product Errata	RHSA-2022:6713	None	None	None	2022-09-26 14:56:24 UTC
Red Hat Product Errata	RHSA-2022:6715	None	None	None	2022-09-26 15:54:38 UTC
Red Hat Product Errata	RHSA-2022:6716	None	None	None	2022-09-26 15:39:06 UTC
Red Hat Product Errata	RHSA-2022:6717	None	None	None	2022-09-26 16:48:52 UTC

Description Mauro Matteo Cascella 2022-09-01 09:09:30 UTC

If a Thunderbird user replied to a crafted HTML email containing a `meta` tag, with the `meta` tag
having the `http-equiv="refresh"` attribute, and the content attribute specifying an URL, then
Thunderbird started a network request to that URL, regardless of the configuration to block
remote content. In combination with certain other HTML elements and attributes in the email,
it was possible to execute JavaScript code included in the message in the context of the
message compose document. 
The JavaScript code was able to perform actions including, but probably not limited
to, read and modify the contents of the message compose document, including the quoted
original message, which could potentially contain the decrypted plaintext of encrypted data 
in the crafted email.
The contents could then be transmitted to the network, either to the URL specified in the META refresh tag,
or to a different URL, as the JavaScript code could modify the URL specified in the document.
This bug doesn't affect users who have changed the default Message Body display setting to
'simple html' or 'plain text'.

External References:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-38/#CVE-2022-3033
https://www.mozilla.org/en-US/security/advisories/mfsa2022-39/#CVE-2022-3033

Comment 2 errata-xmlrpc 2022-09-26 14:56:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6713 https://access.redhat.com/errata/RHSA-2022:6713

Comment 3 errata-xmlrpc 2022-09-26 15:11:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:6710 https://access.redhat.com/errata/RHSA-2022:6710

Comment 4 errata-xmlrpc 2022-09-26 15:33:46 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6708 https://access.redhat.com/errata/RHSA-2022:6708

Comment 5 errata-xmlrpc 2022-09-26 15:39:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:6716 https://access.redhat.com/errata/RHSA-2022:6716

Comment 6 errata-xmlrpc 2022-09-26 15:54:35 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:6715 https://access.redhat.com/errata/RHSA-2022:6715

Comment 7 errata-xmlrpc 2022-09-26 16:48:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6717 https://access.redhat.com/errata/RHSA-2022:6717

Comment 8 Product Security DevOps Team 2022-11-28 06:27:15 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3033

Note You need to log in before you can comment on or make changes to this bug.