CVE-2024-23330 - OpenCVE

Vendors	Products
Tuta	Tutanota

Link	Providers
https://github.com/tutao/tutanota/security/advisories/GHSA-32w8-v5fc-vpp7

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23330", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-15T15:19:19.442Z", "datePublished": "2024-01-23T17:22:25.503Z", "dateUpdated": "2024-08-01T22:59:32.246Z"}, "containers": {"cna": {"title": "Tuta loads images from external resources", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/tutao/tutanota/security/advisories/GHSA-32w8-v5fc-vpp7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tutao/tutanota/security/advisories/GHSA-32w8-v5fc-vpp7"}], "affected": [{"vendor": "tutao", "product": "tutanota", "versions": [{"version": "< 119.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-23T17:22:25.503Z"}, "descriptions": [{"lang": "en", "value": "Tuta is an encrypted email service. In versions prior to 119.10, an attacker can attach an image in a html mail which is loaded from external resource in the default setting, which should prevent loading of external resources. When displaying emails containing external content, they should be loaded by default only after confirmation by the user. However, it could be recognized that certain embedded images (see PoC) are loaded, even though the \"Automatic Reloading of Images\" function is disabled by default. The reloading is also done unencrypted via HTTP and redirections are followed. This behavior is unexpected for the user, since the user assumes that external content will only be loaded after explicit manual confirmation. The loading of external content in e-mails represents a risk, because this makes the sender aware that the e-mail address is used, when the e-mail was read, which device is used and expose the user's IP address. Version 119.10 contains a patch for this issue."}], "source": {"advisory": "GHSA-32w8-v5fc-vpp7", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.246Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/tutao/tutanota/security/advisories/GHSA-32w8-v5fc-vpp7", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/tutao/tutanota/security/advisories/GHSA-32w8-v5fc-vpp7"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tuta:tutanota:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "04E5AB8A-90C8-44C7-90D4-376036FF6017", "versionEndExcluding": "119.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tuta is an encrypted email service. In versions prior to 119.10, an attacker can attach an image in a html mail which is loaded from external resource in the default setting, which should prevent loading of external resources. When displaying emails containing external content, they should be loaded by default only after confirmation by the user. However, it could be recognized that certain embedded images (see PoC) are loaded, even though the \"Automatic Reloading of Images\" function is disabled by default. The reloading is also done unencrypted via HTTP and redirections are followed. This behavior is unexpected for the user, since the user assumes that external content will only be loaded after explicit manual confirmation. The loading of external content in e-mails represents a risk, because this makes the sender aware that the e-mail address is used, when the e-mail was read, which device is used and expose the user's IP address. Version 119.10 contains a patch for this issue."}, {"lang": "es", "value": "Tuta es un servicio de correo electr\u00f3nico cifrado. En versiones anteriores a la 119.10, un atacante puede adjuntar una imagen en un correo html que se carga desde un recurso externo en la configuraci\u00f3n predeterminada, lo que deber\u00eda impedir la carga de recursos externos. Al mostrar correos electr\u00f3nicos con contenido externo, deben cargarse de forma predeterminada solo despu\u00e9s de la confirmaci\u00f3n por parte del usuario. Sin embargo, se podr\u00eda reconocer que ciertas im\u00e1genes incrustadas (ver PoC) est\u00e1n cargadas, aunque la funci\u00f3n \"Recarga autom\u00e1tica de im\u00e1genes\" est\u00e9 deshabilitada de forma predeterminada. La recarga tambi\u00e9n se realiza sin cifrar a trav\u00e9s de HTTP y se siguen las redirecciones. Este comportamiento es inesperado para el usuario, ya que el usuario asume que el contenido externo solo se cargar\u00e1 despu\u00e9s de una confirmaci\u00f3n manual expl\u00edcita. La carga de contenido externo en los correos electr\u00f3nicos representa un riesgo, porque esto hace que el remitente sepa qu\u00e9 direcci\u00f3n de correo electr\u00f3nico se utiliza, cu\u00e1ndo se ley\u00f3 el correo electr\u00f3nico, qu\u00e9 dispositivo se utiliza y expone la direcci\u00f3n IP del usuario. La versi\u00f3n 119.10 contiene un parche para este problema."}], "id": "CVE-2024-23330", "lastModified": "2024-02-01T17:20:38.387", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-23T18:15:19.060", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/tutao/tutanota/security/advisories/GHSA-32w8-v5fc-vpp7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object