CVE-2022-3155 — Incorrect Default Permissions in Mozilla Thunderbird

CWE-276 — Incorrect Default Permissions CWE-449 — The UI Performs the Wrong Action5 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 88.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Debian Thunderbird Mozilla Firefox

Timeline

PublishedDec 22

Description

When saving or opening an email attachment on macOS, Thunderbird did not set attribute com.apple.quarantine on the received file. If the received file was an application and the user attempted to open it, then the application was started immediately without asking the user to confirm. This vulnerability affects Thunderbird < 102.3.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5mozilla/thunderbirdunspecified — 102.3

▶NVDmozilla/thunderbird< 102.3

▶debiandebian/thunderbird

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-6gfq-p2cr-3q5j: When saving or opening an email attachment on macOS, Thunderbird did not set attribute com↗2022-12-22

▶

📋Vendor Advisories

Red Hat

Mozilla: Attachment files saved to disk on macOS could be executed without warning↗2022-09-20

▶

Debian

CVE-2022-3155: thunderbird - When saving or opening an email attachment on macOS, Thunderbird did not set att...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-42: CVE-2022-3155↗

▶