{"id":"USN-3660-1","summary":"thunderbird vulnerabilities","details":"Multiple security issues were discovered in Thunderbird. If a user were\ntricked in to opening a specially crafted website in a browsing context,\nan attacker could potentially exploit these to cause a denial of service\nvia application crash, install lightweight themes without user\ninteraction, or execute arbitrary code. (CVE-2018-5150, CVE-2018-5154,\nCVE-2018-5155, CVE-2018-5159, CVE-2018-5168, CVE-2018-5178)\n\nAn issue was discovered when processing message headers in Thunderbird. If\na user were tricked in to opening a specially crafted message, an attacker\ncould potentially exploit this to cause a denial of service via\napplication hang. (CVE-2018-5161)\n\nIt was discovered encrypted messages could leak plaintext via the src\nattribute of remote images or links. An attacker could potentially exploit\nthis to obtain sensitive information. (CVE-2018-5162)\n\nIt was discovered that the filename of an attachment could be spoofed. An\nattacker could potentially exploit this by tricking the user in to opening\nan attachment of a different type to the one expected. (CVE-2018-5170)\n\nMultiple security issues were discovered in Skia. If a user were tricked\nin to opening a specially crafted message, an attacker could potentially\nexploit these to cause a denial of service via application crash, or\nexecute arbitrary code. (CVE-2018-5183)\n\nIt was discovered that S/MIME encrypted messages with remote content could\nleak plaintext via a chosen-ciphertext attack. An attacker could\npotentially exploit this to obtain sensitive information. (CVE-2018-5184)\n\nIt was discovered that plaintext of decrypted emails could leak by\nsubmitting an embedded form. An attacker could potentially exploit this to\nobtain sensitive information. (CVE-2018-5185)\n","modified":"2026-02-10T04:41:21Z","published":"2018-05-25T20:41:34Z","related":["UBUNTU-CVE-2018-5150","UBUNTU-CVE-2018-5154","UBUNTU-CVE-2018-5155","UBUNTU-CVE-2018-5159","UBUNTU-CVE-2018-5161","UBUNTU-CVE-2018-5162","UBUNTU-CVE-2018-5168","UBUNTU-CVE-2018-5170","UBUNTU-CVE-2018-5178","UBUNTU-CVE-2018-5183","UBUNTU-CVE-2018-5184","UBUNTU-CVE-2018-5185"],"upstream":["CVE-2018-5150","CVE-2018-5154","CVE-2018-5155","CVE-2018-5159","CVE-2018-5161","CVE-2018-5162","CVE-2018-5168","CVE-2018-5170","CVE-2018-5178","CVE-2018-5183","CVE-2018-5184","CVE-2018-5185","UBUNTU-CVE-2018-5150","UBUNTU-CVE-2018-5154","UBUNTU-CVE-2018-5155","UBUNTU-CVE-2018-5159","UBUNTU-CVE-2018-5161","UBUNTU-CVE-2018-5162","UBUNTU-CVE-2018-5168","UBUNTU-CVE-2018-5170","UBUNTU-CVE-2018-5178","UBUNTU-CVE-2018-5183","UBUNTU-CVE-2018-5184","UBUNTU-CVE-2018-5185"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-3660-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-5150"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-5154"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-5155"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-5159"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-5161"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-5162"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-5168"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-5170"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-5178"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-5183"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-5184"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-5185"}],"affected":[{"package":{"name":"thunderbird","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/thunderbird@1:52.8.0+build1-0ubuntu0.14.04.1?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:52.8.0+build1-0ubuntu0.14.04.1"}]}],"versions":["1:24.0+build1-0ubuntu1","1:24.0+build1-0ubuntu2","1:24.1.1+build1-0ubuntu0.13.10.1","1:24.1.1+build1-0ubuntu1","1:24.2.0+build1-0ubuntu1","1:24.4.0+build1-0ubuntu1","1:24.5.0+build1-0ubuntu0.14.04.1","1:24.6.0+build1-0ubuntu0.14.04.1","1:31.0+build1-0ubuntu0.14.04.1","1:31.1.1+build1-0ubuntu0.14.04.1","1:31.1.2+build1-0ubuntu0.14.04.1","1:31.2.0+build2-0ubuntu0.14.04.1","1:31.3.0+build1-0ubuntu0.14.04.1","1:31.4.0+build1-0ubuntu0.14.04.1","1:31.5.0+build1-0ubuntu0.14.04.1","1:31.6.0+build1-0ubuntu0.14.04.1","1:31.7.0+build1-0ubuntu0.14.04.1","1:31.8.0+build1-0ubuntu0.14.04.1","1:38.2.0+build1-0ubuntu0.14.04.1","1:38.3.0+build1-0ubuntu0.14.04.1","1:38.4.0+build3-0ubuntu0.14.04.1","1:38.5.1+build2-0ubuntu0.14.04.1","1:38.6.0+build1-0ubuntu0.14.04.1","1:38.7.2+build1-0ubuntu0.14.04.1","1:38.8.0+build1-0ubuntu0.14.04.1","1:45.2.0+build1-0ubuntu0.14.04.3","1:45.3.0+build1-0ubuntu0.14.04.4","1:45.4.0+build1-0ubuntu0.14.04.1","1:45.5.1+build1-0ubuntu0.14.04.1","1:45.7.0+build1-0ubuntu0.14.04.1","1:45.8.0+build1-0ubuntu0.14.04.1","1:52.1.1+build1-0ubuntu0.14.04.1","1:52.2.1+build1-0ubuntu0.14.04.1","1:52.3.0+build1-0ubuntu0.14.04.1","1:52.4.0+build1-0ubuntu0.14.04.2","1:52.5.0+build1-0ubuntu0.14.04.1","1:52.6.0+build1-0ubuntu0.14.04.1","1:52.7.0+build1-0ubuntu0.14.04.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1:52.8.0+build1-0ubuntu0.14.04.1","binary_name":"thunderbird"},{"binary_version":"1:52.8.0+build1-0ubuntu0.14.04.1","binary_name":"thunderbird-dev"},{"binary_version":"1:52.8.0+build1-0ubuntu0.14.04.1","binary_name":"thunderbird-globalmenu"},{"binary_version":"1:52.8.0+build1-0ubuntu0.14.04.1","binary_name":"thunderbird-gnome-support"},{"binary_version":"1:52.8.0+build1-0ubuntu0.14.04.1","binary_name":"thunderbird-mozsymbols"},{"binary_version":"1:52.8.0+build1-0ubuntu0.14.04.1","binary_name":"thunderbird-testsuite"},{"binary_version":"1:52.8.0+build1-0ubuntu0.14.04.1","binary_name":"xul-ext-calendar-timezones"},{"binary_version":"1:52.8.0+build1-0ubuntu0.14.04.1","binary_name":"xul-ext-gdata-provider"},{"binary_version":"1:52.8.0+build1-0ubuntu0.14.04.1","binary_name":"xul-ext-lightning"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3660-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5150"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5154"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5155"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5159"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5161"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5162"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5168"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5170"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}],"id":"CVE-2018-5178"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5183"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5184"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5185"}],"ecosystem":"Ubuntu:14.04:LTS"}}},{"package":{"name":"thunderbird","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/thunderbird@1:52.8.0+build1-0ubuntu0.16.04.1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:52.8.0+build1-0ubuntu0.16.04.1"}]}],"versions":["1:38.3.0+build1-0ubuntu2","1:38.5.1+build2-0ubuntu1","1:38.6.0+build1-0ubuntu1","1:38.7.2+build1-0ubuntu0.16.04.1","1:38.8.0+build1-0ubuntu0.16.04.1","1:45.2.0+build1-0ubuntu0.16.04.1","1:45.3.0+build1-0ubuntu0.16.04.2","1:45.4.0+build1-0ubuntu0.16.04.1","1:45.5.1+build1-0ubuntu0.16.04.1","1:45.7.0+build1-0ubuntu0.16.04.1","1:45.8.0+build1-0ubuntu0.16.04.1","1:52.1.1+build1-0ubuntu0.16.04.1","1:52.2.1+build1-0ubuntu0.16.04.1","1:52.3.0+build1-0ubuntu0.16.04.1","1:52.4.0+build1-0ubuntu0.16.04.2","1:52.5.0+build1-0ubuntu0.16.04.1","1:52.6.0+build1-0ubuntu0.16.04.1","1:52.7.0+build1-0ubuntu0.16.04.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1:52.8.0+build1-0ubuntu0.16.04.1","binary_name":"thunderbird"},{"binary_version":"1:52.8.0+build1-0ubuntu0.16.04.1","binary_name":"thunderbird-dev"},{"binary_version":"1:52.8.0+build1-0ubuntu0.16.04.1","binary_name":"thunderbird-globalmenu"},{"binary_version":"1:52.8.0+build1-0ubuntu0.16.04.1","binary_name":"thunderbird-gnome-support"},{"binary_version":"1:52.8.0+build1-0ubuntu0.16.04.1","binary_name":"thunderbird-mozsymbols"},{"binary_version":"1:52.8.0+build1-0ubuntu0.16.04.1","binary_name":"thunderbird-testsuite"},{"binary_version":"1:52.8.0+build1-0ubuntu0.16.04.1","binary_name":"xul-ext-calendar-timezones"},{"binary_version":"1:52.8.0+build1-0ubuntu0.16.04.1","binary_name":"xul-ext-gdata-provider"},{"binary_version":"1:52.8.0+build1-0ubuntu0.16.04.1","binary_name":"xul-ext-lightning"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3660-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5150"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5154"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5155"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5159"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5161"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5162"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5168"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5170"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}],"id":"CVE-2018-5178"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5183"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5184"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5185"}],"ecosystem":"Ubuntu:16.04:LTS"}}},{"package":{"name":"thunderbird","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/thunderbird@1:52.8.0+build1-0ubuntu0.18.04.1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:52.8.0+build1-0ubuntu0.18.04.1"}]}],"versions":["1:52.4.0+build1-0ubuntu2","1:52.6.0+build1-0ubuntu1","1:52.7.0+build1-0ubuntu1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1:52.8.0+build1-0ubuntu0.18.04.1","binary_name":"thunderbird"},{"binary_version":"1:52.8.0+build1-0ubuntu0.18.04.1","binary_name":"thunderbird-dev"},{"binary_version":"1:52.8.0+build1-0ubuntu0.18.04.1","binary_name":"thunderbird-globalmenu"},{"binary_version":"1:52.8.0+build1-0ubuntu0.18.04.1","binary_name":"thunderbird-gnome-support"},{"binary_version":"1:52.8.0+build1-0ubuntu0.18.04.1","binary_name":"thunderbird-mozsymbols"},{"binary_version":"1:52.8.0+build1-0ubuntu0.18.04.1","binary_name":"thunderbird-testsuite"},{"binary_version":"1:52.8.0+build1-0ubuntu0.18.04.1","binary_name":"xul-ext-calendar-timezones"},{"binary_version":"1:52.8.0+build1-0ubuntu0.18.04.1","binary_name":"xul-ext-gdata-provider"},{"binary_version":"1:52.8.0+build1-0ubuntu0.18.04.1","binary_name":"xul-ext-lightning"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3660-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5150"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5154"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5155"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5159"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5161"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5162"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5168"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5170"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}],"id":"CVE-2018-5178"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5183"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5184"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2018-5185"}],"ecosystem":"Ubuntu:18.04:LTS"}}}],"schema_version":"1.7.3"}