CVE-2023-0430 — Improper Certificate Validation in Mozilla Thunderbird

CWE-295 — Improper Certificate Validation CWE-299 — Improper Check for Certificate Revocation8 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 77.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Debian Thunderbird Mozilla Firefox

Timeline

PublishedJun 2

Description

Certificate OCSP revocation status was not checked when verifying S/Mime signatures. Mail signed with a revoked certificate would be displayed as having a valid signature. Thunderbird versions from 68 to 102.7.0 were affected by this bug. This vulnerability affects Thunderbird < 102.7.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶debiandebian/thunderbird< thunderbird 1:102.7.1+1-1 (bookworm)

▶CVEListV5mozilla/thunderbirdunspecified — 102.7.1

▶NVDmozilla/thunderbird68.0 — 102.7.1

▶Debianmozilla/thunderbird< 1:102.8.0-1~deb11u1+3

▶Ubuntumozilla/thunderbird< 1:102.7.1+build2-0ubuntu0.18.04.1+2

🔴Vulnerability Details

GHSA

GHSA-gg8h-rvx3-6c4c: Certificate OCSP revocation status was not checked when verifying S/Mime signatures↗2023-06-02

▶

OSV

CVE-2023-0430: Certificate OCSP revocation status was not checked when verifying S/Mime signatures↗2023-06-02

▶

OSV

thunderbird vulnerabilities↗2023-02-06

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2023-02-06

▶

Red Hat

Mozilla: Revocation status of S/Mime signature certificates was not checked↗2023-01-23

▶

Debian

CVE-2023-0430: thunderbird - Certificate OCSP revocation status was not checked when verifying S/Mime signatu...↗2023

▶

Mozilla

Mozilla Foundation Security Advisory 2023-04: CVE-2023-0430↗

▶