CVE-2024-23330

Tuta is an encrypted email service. In versions prior to 119.10, an attacker can attach an image in a html mail which is loaded from external resource in the default setting, which should prevent loading of external resources. When displaying emails containing external content, they should be loaded by default only after confirmation by the user. However, it could be recognized that certain embedded images (see PoC) are loaded, even though the "Automatic Reloading of Images" function is disabled by default. The reloading is also done unencrypted via HTTP and redirections are followed. This behavior is unexpected for the user, since the user assumes that external content will only be loaded after explicit manual confirmation. The loading of external content in e-mails represents a risk, because this makes the sender aware that the e-mail address is used, when the e-mail was read, which device is used and expose the user's IP address. Version 119.10 contains a patch for this issue.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/tutao/tutanota/security/advisories/GHSA-32w8-v5fc-vpp7	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tuta:tutanota:*:*:*:*:*:node.js:*:*

History

01 Feb 2024, 17:20

Type	Values Removed	Values Added
First Time		Tuta Tuta tutanota
References	~~() https://github.com/tutao/tutanota/security/advisories/GHSA-32w8-v5fc-vpp7 -~~	() https://github.com/tutao/tutanota/security/advisories/GHSA-32w8-v5fc-vpp7 - Exploit, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
CPE		cpe:2.3:a:tuta:tutanota::::::node.js::*

23 Jan 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-23 18:15

Updated : 2024-02-28 20:54

NVD link : CVE-2024-23330

Mitre link : CVE-2024-23330

CVE.ORG link : CVE-2024-23330

JSON object : View

Products Affected

tuta

tutanota

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2024-23330", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-01-23T18:15:19.060", "references": [{"url": "https://github.com/tutao/tutanota/security/advisories/GHSA-32w8-v5fc-vpp7", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Tuta is an encrypted email service. In versions prior to 119.10, an attacker can attach an image in a html mail which is loaded from external resource in the default setting, which should prevent loading of external resources. When displaying emails containing external content, they should be loaded by default only after confirmation by the user. However, it could be recognized that certain embedded images (see PoC) are loaded, even though the \"Automatic Reloading of Images\" function is disabled by default. The reloading is also done unencrypted via HTTP and redirections are followed. This behavior is unexpected for the user, since the user assumes that external content will only be loaded after explicit manual confirmation. The loading of external content in e-mails represents a risk, because this makes the sender aware that the e-mail address is used, when the e-mail was read, which device is used and expose the user's IP address. Version 119.10 contains a patch for this issue."}, {"lang": "es", "value": "Tuta es un servicio de correo electr\u00f3nico cifrado. En versiones anteriores a la 119.10, un atacante puede adjuntar una imagen en un correo html que se carga desde un recurso externo en la configuraci\u00f3n predeterminada, lo que deber\u00eda impedir la carga de recursos externos. Al mostrar correos electr\u00f3nicos con contenido externo, deben cargarse de forma predeterminada solo despu\u00e9s de la confirmaci\u00f3n por parte del usuario. Sin embargo, se podr\u00eda reconocer que ciertas im\u00e1genes incrustadas (ver PoC) est\u00e1n cargadas, aunque la funci\u00f3n \"Recarga autom\u00e1tica de im\u00e1genes\" est\u00e9 deshabilitada de forma predeterminada. La recarga tambi\u00e9n se realiza sin cifrar a trav\u00e9s de HTTP y se siguen las redirecciones. Este comportamiento es inesperado para el usuario, ya que el usuario asume que el contenido externo solo se cargar\u00e1 despu\u00e9s de una confirmaci\u00f3n manual expl\u00edcita. La carga de contenido externo en los correos electr\u00f3nicos representa un riesgo, porque esto hace que el remitente sepa qu\u00e9 direcci\u00f3n de correo electr\u00f3nico se utiliza, cu\u00e1ndo se ley\u00f3 el correo electr\u00f3nico, qu\u00e9 dispositivo se utiliza y expone la direcci\u00f3n IP del usuario. La versi\u00f3n 119.10 contiene un parche para este problema."}], "lastModified": "2024-02-01T17:20:38.387", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tuta:tutanota:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "04E5AB8A-90C8-44C7-90D4-376036FF6017", "versionEndExcluding": "119.10"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}