CVE-2022-1197 — Improper Certificate Validation in Mozilla Thunderbird

CWE-295 — Improper Certificate Validation9 documents8 sources

Severity

5.4MEDIUMNVD

OSV6.5

EPSS

0.2%

top 52.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Debian Thunderbird Mozilla Firefox

Timeline

PublishedDec 22

Description

When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation reason, were unaffected. This vulnerability affects Thunderbird < 91.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages6 packages

▶debiandebian/thunderbird< thunderbird 1:91.8.0-1 (bookworm)

▶CVEListV5mozilla/thunderbirdunspecified — 91.8

▶NVDmozilla/thunderbird< 91.8

▶Debianmozilla/thunderbird< 1:91.8.0-1~deb11u1+3

▶Ubuntumozilla/thunderbird< 1:91.8.1+build1-0ubuntu0.18.04.1+1

🔴Vulnerability Details

GHSA

GHSA-h922-mv7w-mhm4: When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was↗2022-12-22

▶

OSV

CVE-2022-1197: When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was↗2022-12-22

▶

OSV

thunderbird vulnerabilities↗2022-04-27

▶

💥Exploits & PoCs

Metasploit

TAR Path Traversal in Zimbra (CVE-2022-41352)↗

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2022-04-27

▶

Red Hat

Mozilla: OpenPGP revocation information was ignored↗2022-04-05

▶

Debian

CVE-2022-1197: thunderbird - When importing a revoked key that specified key compromise as the revocation rea...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-15: CVE-2022-1197↗

▶