CVE-2023-50761
published 2023-12-19CVE-2023-50761: The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare…
medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare the signature creation date with the message date and time, and displayed a valid signature despite a date or time mismatch. This could be used to give recipients the impression that a message was sent at a different date or time. This vulnerability affects Thunderbird < 115.6.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | thunderbird | < thunderbird 1:115.6.0-1~deb12u1 (bookworm) | thunderbird 1:115.6.0-1~deb12u1 (bookworm) |
| mozilla | firefox | — | — |
| mozilla | thunderbird | < 115.6 | 115.6 |
| mozilla | thunderbird | >= 0 < 1:115.6.0-1~deb11u1 | 1:115.6.0-1~deb11u1 |
| mozilla | thunderbird | >= 0 < 1:115.6.0-1~deb12u1 | 1:115.6.0-1~deb12u1 |
| mozilla | thunderbird | >= 0 < 1:115.6.0-1 | 1:115.6.0-1 |
| mozilla | thunderbird | >= 0 < 1:115.6.0-1 | 1:115.6.0-1 |
| mozilla | thunderbird | >= 0 < 1:115.6.0+build2-0ubuntu0.20.04.1 | 1:115.6.0+build2-0ubuntu0.20.04.1 |
| mozilla | thunderbird | >= 0 < 1:115.6.0+build2-0ubuntu0.22.04.1 | 1:115.6.0+build2-0ubuntu0.22.04.1 |
| mozilla | thunderbird | >= unspecified < 115.6 | 115.6 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
osv4.3MEDIUM
OSV
thunderbird vulnerabilities
osv·2024-01-02·CVSS 4.3
CVE-2023-6857 [MEDIUM] thunderbird vulnerabilities
thunderbird vulnerabilities
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code.(CVE-2023-6857, CVE-2023-6858,
CVE-2023-6859, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864)
Marcus Brinkmann discovered that Thunderbird did not properly parse a PGP/MIME
payload that contains digitally signed text. An attacker could potentially
exploit this issue to spoof an email message. (CVE-2023-50762)
Marcus Brinkmann discovered that Thunderbird did not properly compare the
signature creation date with the message date an
OSV
CVE-2023-50761: The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time
osv·2023-12-19·CVSS 4.3
CVE-2023-50761 [MEDIUM] CVE-2023-50761: The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time
The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare the signature creation date with the message date and time, and displayed a valid signature despite a date or time mismatch. This could be used to give recipients the impression that a message was sent at a different date or time. This vulnerability affects Thunderbird < 115.6.
GHSA
GHSA-86pm-w7xp-8c7p: The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time
ghsa_unreviewed·2023-12-19
CVE-2023-50761 [MEDIUM] GHSA-86pm-w7xp-8c7p: The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time
The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare the signature creation date with the message date and time, and displayed a valid signature despite a date or time mismatch. This could be used to give recipients the impression that a message was sent at a different date or time. This vulnerability affects Thunderbird < 115.6.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2024-01-02·CVSS 4.3
CVE-2023-6859 [MEDIUM] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code.(CVE-2023-6857, CVE-2023-6858,
CVE-2023-6859, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864)
Marcus Brinkmann discovered that Thunderbird did not properly parse a PGP/MIME
payload that contains digitally signed text. An attacker could potentially
exploit this issue to spoof an email message. (CVE-2023-50762)
Marcus Brinkmann discovered that Thunderbird did not p
Red Hat
Mozilla: S/MIME signature accepted despite mismatching message date
vendor_redhat·2023-12-19·CVSS 4.3
CVE-2023-50761 [MEDIUM] CWE-347 Mozilla: S/MIME signature accepted despite mismatching message date
Mozilla: S/MIME signature accepted despite mismatching message date
The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare the signature creation date with the message date and time, and displayed a valid signature despite a date or time mismatch. This could be used to give recipients the impression that a message was sent at a different date or time. This vulnerability affects Thunderbird < 115.6.
The Mozilla Foundation Security Advisory: The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare the signature creation date with the message date and time, and displayed a valid signature d
Debian
CVE-2023-50761: thunderbird - The signature of a digitally signed S/MIME email message may optionally specify ...
vendor_debian·2023·CVSS 4.3
CVE-2023-50761 [MEDIUM] CVE-2023-50761: thunderbird - The signature of a digitally signed S/MIME email message may optionally specify ...
The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare the signature creation date with the message date and time, and displayed a valid signature despite a date or time mismatch. This could be used to give recipients the impression that a message was sent at a different date or time. This vulnerability affects Thunderbird < 115.6.
Scope: local
bookworm: resolved (fixed in 1:115.6.0-1~deb12u1)
bullseye: resolved (fixed in 1:115.6.0-1~deb11u1)
forky: resolved (fixed in 1:115.6.0-1)
sid: resolved (fixed in 1:115.6.0-1)
trixie: resolved (fixed in 1:115.6.0-1)
Mozilla
Mozilla Foundation Security Advisory 2023-55: CVE-2023-50761
vendor_mozilla·CVSS 4.3
CVE-2023-50761 [MEDIUM] Mozilla Foundation Security Advisory 2023-55: CVE-2023-50761
Mozilla Foundation Security Advisory 2023-55
CVE: CVE-2023-50761
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 115.6
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugzilla.mozilla.org/show_bug.cgi?id=1865647https://lists.debian.org/debian-lts-announce/2023/12/msg00021.htmlhttps://www.debian.org/security/2023/dsa-5582https://www.mozilla.org/security/advisories/mfsa2023-55/https://bugzilla.mozilla.org/show_bug.cgi?id=1865647https://lists.debian.org/debian-lts-announce/2023/12/msg00021.htmlhttps://www.debian.org/security/2023/dsa-5582https://www.mozilla.org/security/advisories/mfsa2023-55/
2023-12-19
Published