Mozilla Thunderbird up to 1.5.0.10 POP Server nsAuthSSPI::Unwrap resource management

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.1 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Mozilla Thunderbird up to 1.5.0.10 and classified as critical. This affects the function nsAuthSSPI::Unwrap of the component POP Server. Such manipulation leads to resource management.
This vulnerability is referenced as CVE-2010-0161. No exploit is available.
It is suggested to upgrade the affected component.
Details
A vulnerability was found in Mozilla Thunderbird up to 1.5.0.10 (Mail Client Software). It has been rated as critical. Affected by this issue is the function nsAuthSSPI::Unwrap of the component POP Server. The manipulation with an unknown input leads to a resource management vulnerability. Using CWE to declare the problem leads to CWE-399. Impacted is availability. CVE summarizes:
The nsAuthSSPI::Unwrap function in extensions/auth/nsAuthSSPI.cpp in Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 on Windows Vista, Windows Server 2008 R2, and Windows 7 allows remote SMTP, IMAP, and POP servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via crafted data in a session that uses SSPI.
The weakness was published 03/22/2010 by Paul as Bug 511806 as not defined bug report (Bugzilla). The advisory is shared for download at bugzilla.mozilla.org. This vulnerability is handled as CVE-2010-0161. The attack may be launched remotely. No form of authentication is required for exploitation. There are known technical details, but no exploit is available.
The vulnerability scanner Nessus provides a plugin with the ID 45114 (FreeBSD : mozilla -- multiple vulnerabilities (56cfe192-329f-11df-abb2-000f20797ede)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family FreeBSD Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 165221 (SUSE Security Update for Multiple Packages (SUSE-SR:2010:013)).
Upgrading to version 1.5.0.11 eliminates this vulnerability.
The vulnerability is also documented in the databases at X-Force (56992), Tenable (45114), SecurityFocus (BID 38831†) and Vulnerability Center (SBV-25183†). Similar entries are available at VDB-52034 and VDB-52281. VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.mozilla.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.3VulDB Meta Temp Score: 5.1
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Resource managementCWE: CWE-399 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 45114
Nessus Name: FreeBSD : mozilla -- multiple vulnerabilities (56cfe192-329f-11df-abb2-000f20797ede)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 67138
OpenVAS Name: FreeBSD Ports: seamonkey, linux-seamonkey
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Thunderbird 1.5.0.11
Timeline
01/06/2010 🔍03/16/2010 🔍
03/16/2010 🔍
03/22/2010 🔍
03/22/2010 🔍
03/29/2010 🔍
03/19/2015 🔍
05/03/2026 🔍
Sources
Vendor: mozilla.orgAdvisory: Bug 511806
Researcher: Paul
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2010-0161 (🔍)
GCVE (CVE): GCVE-0-2010-0161
GCVE (VulDB): GCVE-100-52280
OVAL: 🔍
X-Force: 56992
SecurityFocus: 38831 - Mozilla Thunderbird Multiple Denial of Service Vulnerabilities
Vulnerability Center: 25183 - Mozilla Thunderbird and SeaMonkey Remote DoS Vulnerability via Crafted Data in a SSPI Session, Medium
See also: 🔍
Entry
Created: 03/19/2015 12:22Updated: 05/03/2026 00:18
Changes: 03/19/2015 12:22 (66), 02/22/2017 10:51 (9), 09/05/2021 14:58 (4), 09/05/2021 15:02 (1), 05/03/2026 00:18 (17)
Complete: 🔍
Cache ID: 216::103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.