Mozilla Thunderbird up to 115.0.1 memory corruption

Summaryinfo

A vulnerability, which was classified as critical, has been found in Mozilla Thunderbird. This affects an unknown part. Performing a manipulation results in memory corruption. This vulnerability was named CVE-2023-4585. The attack may be initiated remotely. There is no available exploit. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability classified as critical has been found in Mozilla Thunderbird (Mail Client Software). This affects an unknown functionality. The manipulation with an unknown input leads to a memory corruption vulnerability. CWE is classifying the issue as CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.

The weakness was presented 09/11/2023. The advisory is shared at mozilla.org. This vulnerability is uniquely identified as CVE-2023-4585 since 08/29/2023. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 06/20/2025).

The vulnerability scanner Nessus provides a plugin with the ID 239763 (TencentOS Server 4: thunderbird (TSSA-2024:0450)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 115.2 eliminates this vulnerability. The upgrade is hosted for download at mozilla.org.

The vulnerability is also documented in the vulnerability database at Tenable (239763). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Mail Client Software

Vendor

• Mozilla

Name

• Thunderbird

Version

• 0.1
• 0.2
• 0.3
• 0.4
• 0.5
• 0.6
• 0.7
• 0.7.1
• 0.7.2
• 0.7.3
• 0.8
• 0.9
• 1
• 1.0
• 1.0.1
• 1.0.2
• 1.0.3
• 1.0.4
• 1.0.5
• 1.0.6
• 1.0.7
• 1.0.8
• 1.0.9
• 1.1.8
• 1.5
• 1.5.0.1
• 1.5.0.2
• 1.5.0.3
• 1.5.0.4
• 1.5.0.5
• 1.5.0.6
• 1.5.0.7
• 1.5.0.8
• 1.5.0.9
• 1.5.0.10
• 1.5.0.11
• 2
• 2.0.0.5
• 2.0.0.11
• 2.0.0.19
• 2.0.14
• 3.11.5
• 13.0
• 14
• 15
• 16
• 16.0.1
• 16.0.2
• 17.0
• 17.0.1
• 17.0.2
• 17.0.3
• 17.0.4
• 17.0.5
• 17.0.6
• 17.0.7
• 17.0.8
• 17.0.10
• 18.0
• 20.0
• 21.0
• 23.0
• 24.0
• 25.0
• 30.0
• 31
• 45.6
• 52.5.2
• 52.6
• 52.8
• 52.9
• 60.5
• 60.5.0
• 60.5.1
• 60.7.1
• 62.0
• 68.1
• 68.1.1
• 68.5
• 68.8.0
• 68.9.0
• 68.10.0
• 68.12
• 78.5.1
• 78.6.1
• 78.7
• 78.8.1
• 78.9.1
• 78.10
• 78.10.1
• 78.10.2
• 78.12
• 91.0
• 91.0.1
• 91.2
• 91.3.0
• 91.4.0
• 91.4.1
• 91.5
• 91.6
• 91.6.1
• 91.7
• 91.8
• 91.9
• 91.10
• 91.11
• 91.13.1
• 101
• 102
• 102.1
• 102.2
• 102.3
• 102.4
• 102.5
• 102.5.1
• 102.6
• 102.7
• 102.7.1
• 102.8
• 102.9
• 102.9.1
• 102.10
• 102.11
• 102.12
• 102.13
• 115.0.1

License

• open-source

Website

• Vendor: https://www.mozilla.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion