Mozilla Thunderbird up to 115.0.1 memory corruption

Summaryinfo

A vulnerability classified as critical was found in Mozilla Thunderbird. Affected by this issue is some unknown functionality. Such manipulation leads to memory corruption. This vulnerability is uniquely identified as CVE-2023-4584. The attack can be launched remotely. No exploit exists. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in Mozilla Thunderbird (Mail Client Software). It has been rated as critical. Affected by this issue is an unknown function. The manipulation with an unknown input leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2.

The weakness was disclosed 09/11/2023. The advisory is shared for download at mozilla.org. This vulnerability is handled as CVE-2023-4584 since 08/29/2023. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $5k-$25k (estimation calculated on 06/20/2025).

The vulnerability scanner Nessus provides a plugin with the ID 239763 (TencentOS Server 4: thunderbird (TSSA-2024:0450)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 115.2 eliminates this vulnerability. The upgrade is hosted for download at mozilla.org.

The vulnerability is also documented in the vulnerability database at Tenable (239763). Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Mail Client Software

Vendor

• Mozilla

Name

• Thunderbird

Version

• 0.1
• 0.2
• 0.3
• 0.4
• 0.5
• 0.6
• 0.7
• 0.7.1
• 0.7.2
• 0.7.3
• 0.8
• 0.9
• 1
• 1.0
• 1.0.1
• 1.0.2
• 1.0.3
• 1.0.4
• 1.0.5
• 1.0.6
• 1.0.7
• 1.0.8
• 1.0.9
• 1.1.8
• 1.5
• 1.5.0.1
• 1.5.0.2
• 1.5.0.3
• 1.5.0.4
• 1.5.0.5
• 1.5.0.6
• 1.5.0.7
• 1.5.0.8
• 1.5.0.9
• 1.5.0.10
• 1.5.0.11
• 2
• 2.0.0.5
• 2.0.0.11
• 2.0.0.19
• 2.0.14
• 3.11.5
• 13.0
• 14
• 15
• 16
• 16.0.1
• 16.0.2
• 17.0
• 17.0.1
• 17.0.2
• 17.0.3
• 17.0.4
• 17.0.5
• 17.0.6
• 17.0.7
• 17.0.8
• 17.0.10
• 18.0
• 20.0
• 21.0
• 23.0
• 24.0
• 25.0
• 30.0
• 31
• 45.6
• 52.5.2
• 52.6
• 52.8
• 52.9
• 60.5
• 60.5.0
• 60.5.1
• 60.7.1
• 62.0
• 68.1
• 68.1.1
• 68.5
• 68.8.0
• 68.9.0
• 68.10.0
• 68.12
• 78.5.1
• 78.6.1
• 78.7
• 78.8.1
• 78.9.1
• 78.10
• 78.10.1
• 78.10.2
• 78.12
• 91.0
• 91.0.1
• 91.2
• 91.3.0
• 91.4.0
• 91.4.1
• 91.5
• 91.6
• 91.6.1
• 91.7
• 91.8
• 91.9
• 91.10
• 91.11
• 91.13.1
• 101
• 102
• 102.1
• 102.2
• 102.3
• 102.4
• 102.5
• 102.5.1
• 102.6
• 102.7
• 102.7.1
• 102.8
• 102.9
• 102.9.1
• 102.10
• 102.11
• 102.12
• 102.13
• 115.0.1

License

• open-source

Website

• Vendor: https://www.mozilla.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion