CVE-2022-2226Authentication Bypass by Capture-replay in Mozilla Thunderbird

CWE-294Authentication Bypass by Capture-replayCWE-357Insufficient UI Warning of Dangerous Operations8 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 51.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla ThunderbirdDebian ThunderbirdMozilla Firefox
Timeline
PublishedDec 22

Description

An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email's date will be shown. If the dates were different, then Thunderbird didn't report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

debiandebian/thunderbird< thunderbird 1:91.11.0-1 (bookworm)
CVEListV5mozilla/thunderbirdunspecified102+1
NVDmozilla/thunderbird< 91.11+1
Debianmozilla/thunderbird< 1:91.11.0-1~deb11u1+3
Ubuntumozilla/thunderbird< 1:91.11.0+build2-0ubuntu0.18.04.1+2

🔴Vulnerability Details

3
OSV
CVE-2022-2226: An OpenPGP digital signature includes information about the date when the signature was created2022-12-22
GHSA
GHSA-g426-wcxv-272f: An OpenPGP digital signature includes information about the date when the signature was created2022-12-22
OSV
thunderbird vulnerabilities2022-07-14

📋Vendor Advisories

4
Ubuntu
Thunderbird vulnerabilities2022-07-14
Red Hat
Mozilla: An email with a mismatching OpenPGP signature date was accepted as valid2022-06-28
Debian
CVE-2022-2226: thunderbird - An OpenPGP digital signature includes information about the date when the signat...2022
Mozilla
Mozilla Foundation Security Advisory 2022-26: CVE-2022-2226