The remote Ubuntu 21.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5246-1 advisory.

  - Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was     limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to     further an attack with other vulnerabilities. This vulnerability affects Thunderbird < 91.4.0.
    (CVE-2021-43528)

  - Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the     target URL. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.
    (CVE-2021-43536)

  - An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory     leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR <     91.4.0, and Firefox < 95. (CVE-2021-43537)

  - By misusing a race in our notification code, an attacker could have forcefully hidden the notification for     pages that had received full screen and pointer lock access, which could have been used for spoofing     attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.
    (CVE-2021-43538)

  - Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC     occurring within the call not tracing those live pointers. This could have led to a use-after-free causing     a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0,     and Firefox < 95. (CVE-2021-43539)

  - When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not     properly escaped. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.
    (CVE-2021-43541)

  - Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages     for loading external protocols. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and     Firefox < 95. (CVE-2021-43542)

  - Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by     embedding additional content. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and     Firefox < 95. (CVE-2021-43543)

  - Using the Location API in a loop could have caused severe application hangs and crashes. This     vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. (CVE-2021-43545)

  - It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor.
    This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. (CVE-2021-43546)

  - The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The     Olm session object represents a cryptographic channel between two parties. Therefore, its state is     partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of     messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a     buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were     undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces     and digits. The known affected products are Element Web And SchildiChat Web. (CVE-2021-44538)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

Ubuntu 21.10 : Thunderbird vulnerabilities (USN-5246-1)

critical Nessus Plugin ID 156962

Version 1.6

Version 1.5

Version 1.5

Version 1.4

Version 1.6 Jul 11, 2023, 4:01 AM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") Detection Exploit attributes ("Exploit available" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202307110401
Version 1.5 Jan 18, 2023, 9:01 AM Logic Changes (Added support for s390x) Plugin Feed: 202301180901
Version 1.5 Jul 11, 2023, 1:48 AM Detection CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202307110148
Version 1.4 Jan 9, 2023, 4:06 PM CVSS metrics ("CVSSv3 score" changed from "9.8" to "10.0") CVSS metrics ("CVSSv3 vector" changed from "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" to "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H") CVSSv3 score source (set to "CVE-2021-4140") Plugin Feed: 202301091606