CVE-2023-0547Improper Certificate Validation in Mozilla Thunderbird

CWE-295Improper Certificate ValidationCWE-356Product UI does not Warn User of Unsafe Actions9 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 66.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Thunderbird
Timeline
PublishedJun 2

Description

OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug. This vulnerability affects Thunderbird < 102.10.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

CVEListV5mozilla/thunderbirdunspecified102.10
NVDmozilla/thunderbird68.0102.10
Debianmozilla/thunderbird< 1:102.10.0-1~deb11u1+3
Ubuntumozilla/thunderbird< 1:102.10.0+build2-0ubuntu0.18.04.1+2

🔴Vulnerability Details

4
OSV
CVE-2023-0547: OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and revoked certificates would be accepted2023-06-02
GHSA
GHSA-r9gq-fgfv-3p2p: OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and revoked certificates would be accepted2023-06-02
CVEList
CVE-2023-0547: OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and revoked certificates would be accepted2023-06-02
OSV
thunderbird vulnerabilities2023-04-13

📋Vendor Advisories

4
Ubuntu
Thunderbird vulnerabilities2023-04-13
Red Hat
Thunderbird: Revocation status of S/Mime recipient certificates was not checked2023-04-11
Debian
CVE-2023-0547: thunderbird - OCSP revocation status of recipient certificates was not checked when sending S/...2023
Mozilla
Mozilla Foundation Security Advisory 2023-15: CVE-2023-0547
CVE-2023-0547 — Improper Certificate Validation | cvebase