CVE-2017-7847

Current Description

Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird < 52.5.2.

Basic Data

PublishedJune 11, 2018
Last ModifiedAugust 07, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-200
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS 3 - Attack VectorNETWORK
CVSS 3 - Attack ComplexityLOW
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionREQUIRED
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactLOW
CVSS 3 - Integrity ImpactNONE
CVSS 3 - Availability ImpactNONE
CVSS 3 - Base Score4.3
CVSS 3 - Base SeverityMEDIUM
Exploitability Score2.8
Base SeverityMEDIUM

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSDebianDebian Linux7.0*******
    2.3OSDebianDebian Linux8.0*******
    2.3OSDebianDebian Linux9.0*******
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSRedhatEnterprise Linux Aus7.4*******
    2.3OSRedhatEnterprise Linux Desktop6.0*******
    2.3OSRedhatEnterprise Linux Desktop7.0*******
    2.3OSRedhatEnterprise Linux Eus7.4*******
    2.3OSRedhatEnterprise Linux Eus7.5*******
    2.3OSRedhatEnterprise Linux Server6.0*******
    2.3OSRedhatEnterprise Linux Server7.0*******
    2.3OSRedhatEnterprise Linux Workstation6.0*******
    2.3OSRedhatEnterprise Linux Workstation7.0*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationMozillaThunderbird********52.5.2

Vulnerable Software List

VendorProductVersions
Debian Debian Linux 7.0, 8.0, 9.0
Mozilla Thunderbird *
Redhat Enterprise Linux Workstation 6.0, 7.0
Redhat Enterprise Linux Eus 7.4, 7.5
Redhat Enterprise Linux Desktop 6.0, 7.0
Redhat Enterprise Linux Aus 7.4
Redhat Enterprise Linux Server 6.0, 7.0

References

NameSourceURLTags
102258http://www.securityfocus.com/bid/102258BIDThird Party Advisory VDB Entry
1040123http://www.securitytracker.com/id/1040123SECTRACKThird Party Advisory VDB Entry
RHSA-2018:0061https://access.redhat.com/errata/RHSA-2018:0061REDHATThird Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1411708https://bugzilla.mozilla.org/show_bug.cgi?id=1411708CONFIRMIssue Tracking Permissions Required
[debian-lts-announce] 20171227 [SECURITY] [DLA 1223-1] thunderbird security updatehttps://lists.debian.org/debian-lts-announce/2017/12/msg00026.htmlMLISTMailing List Third Party Advisory
DSA-4075https://www.debian.org/security/2017/dsa-4075DEBIANThird Party Advisory
https://www.mozilla.org/security/advisories/mfsa2017-30/https://www.mozilla.org/security/advisories/mfsa2017-30/CONFIRMVendor Advisory