{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-3032", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "dateUpdated": "2024-08-03T00:53:00.746Z", "dateReserved": "2022-08-29T00:00:00", "datePublished": "2022-12-22T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2022-12-22T00:00:00"}, "descriptions": [{"lang": "en", "value": "When receiving an HTML email that contained an <code>iframe</code> element, which used a <code>srcdoc</code> attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1."}], "affected": [{"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"version": "unspecified", "lessThan": "102.2.1", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThan": "91.13.1", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-38/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-39/"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1783831"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:53:00.746Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-38/", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-39/", "tags": ["x_transferred"]}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1783831", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "76F28FD2-6BE5-43C4-93B5-051739E3600E", "versionEndExcluding": "91.13.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "576EEF40-52A5-4876-843C-2648CBA74475", "versionEndExcluding": "102.2.1", "versionStartIncluding": "102.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When receiving an HTML email that contained an <code>iframe</code> element, which used a <code>srcdoc</code> attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1."}, {"lang": "es", "value": "Al recibir un correo electr\u00f3nico HTML que conten\u00eda un elemento <code>iframe</code>, que utilizaba un atributo <code>srcdoc</code> para definir el documento HTML interno, los objetos remotos especificados en el documento anidado, por ejemplo im\u00e1genes o v\u00eddeos , no fueron bloqueados. M\u00e1s bien, se acced\u00eda a la red, se cargaban los objetos y se mostraban. Esta vulnerabilidad afecta a Thunderbird &lt; 102.2.1 y Thunderbird &lt; 91.13.1."}], "id": "CVE-2022-3032", "lastModified": "2024-02-09T02:47:57.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-22T20:15:37.763", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1783831"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-38/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-39/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-610"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Sarah Jamie Lewis as the original reporter.", "affected_release": [{"advisory": "RHSA-2022:6710", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:102.3.0-3.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-09-26T00:00:00Z"}, {"advisory": "RHSA-2022:6708", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:102.3.0-3.el8_6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-09-26T00:00:00Z"}, {"advisory": "RHSA-2022:6716", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "thunderbird-0:102.3.0-3.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-09-26T00:00:00Z"}, {"advisory": "RHSA-2022:6715", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "thunderbird-0:102.3.0-3.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-09-26T00:00:00Z"}, {"advisory": "RHSA-2022:6713", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "thunderbird-0:102.3.0-3.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-09-26T00:00:00Z"}, {"advisory": "RHSA-2022:6717", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:102.3.0-3.el9_0", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-09-26T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked", "id": "2123255", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2123255"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-1021", "details": ["When receiving an HTML email that contained an <code>iframe</code> element, which used a <code>srcdoc</code> attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.", "A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of when receiving an HTML email that contained an `iframe` element, which used a `srcdoc` attribute to define the internal HTML document, remote objects specified in the nested document (for example, images or videos), were not blocked. Rather, the network was accessed, and the objects were loaded and displayed."], "name": "CVE-2022-3032", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2022-08-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-3032\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-3032\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-38/#CVE-2022-3032\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-39/#CVE-2022-3032"], "threat_severity": "Moderate", "upstream_fix": "thunderbird 91.13.1, thunderbird 102.2.1"}