CVE-2023-50762 — Improper Verification of Cryptographic Signature in Mozilla Thunderbird
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 59.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 19
Latest updateJan 2
Description
When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally signed text from a different context, such as a signed GIT commit, could be used to spoof an email message. This vulnerability affects Thunderbird < 115.6.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4
Affected Packages4 packages
Also affects: Debian Linux 11.0, 12.0
🔴Vulnerability Details
4GHSA▶
GHSA-63rr-fhmr-42fq: When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user↗2023-12-19
OSV▶
CVE-2023-50762: When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user↗2023-12-19
CVEList▶
CVE-2023-50762: When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user↗2023-12-19
📋Vendor Advisories
4Debian▶
CVE-2023-50762: thunderbird - When processing a PGP/MIME payload that contains digitally signed text, the firs...↗2023