CVE-2022-1520 — Origin Validation Error in Mozilla Thunderbird

CWE-346 — Origin Validation Error CWE-326 — Inadequate Encryption Strength CWE-203 — Observable Discrepancy CWE-125 — Out-of-bounds Read9 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 73.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Debian Thunderbird Mozilla Firefox

Timeline

PublishedDec 22

Description

When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A might be shown with the security status of message B. This vulnerability affects Thunderbird < 91.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages6 packages

▶debiandebian/thunderbird< thunderbird 1:91.9.0-1 (bookworm)

▶CVEListV5mozilla/thunderbirdunspecified — 91.9

▶NVDmozilla/thunderbird< 91.9

▶Debianmozilla/thunderbird< 1:91.9.0-1~deb11u1+3

▶Ubuntumozilla/thunderbird< 1:91.9.1+build1-0ubuntu0.18.04.1+2

🔴Vulnerability Details

GHSA

GHSA-3qrc-jgqf-vg35: When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incor↗2022-12-22

▶

OSV

CVE-2022-1520: When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incor↗2022-12-22

▶

OSV

thunderbird vulnerabilities↗2022-05-25

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2022-05-25

▶

Red Hat

Mozilla: Incorrect security status shown after viewing an attached email↗2022-05-03

▶

Debian

CVE-2022-1520: thunderbird - When viewing an email message A, which contains an attached message B, where B i...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-18: CVE-2022-1520↗

▶