CVE-2023-50762
published 2023-12-19CVE-2023-50762: When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text…
medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally signed text from a different context, such as a signed GIT commit, could be used to spoof an email message. This vulnerability affects Thunderbird < 115.6.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | thunderbird | < thunderbird 1:115.6.0-1~deb12u1 (bookworm) | thunderbird 1:115.6.0-1~deb12u1 (bookworm) |
| mozilla | firefox | — | — |
| mozilla | thunderbird | < 115.6 | 115.6 |
| mozilla | thunderbird | >= 0 < 1:115.6.0-1~deb11u1 | 1:115.6.0-1~deb11u1 |
| mozilla | thunderbird | >= 0 < 1:115.6.0-1~deb12u1 | 1:115.6.0-1~deb12u1 |
| mozilla | thunderbird | >= 0 < 1:115.6.0-1 | 1:115.6.0-1 |
| mozilla | thunderbird | >= 0 < 1:115.6.0-1 | 1:115.6.0-1 |
| mozilla | thunderbird | >= 0 < 1:115.6.0+build2-0ubuntu0.20.04.1 | 1:115.6.0+build2-0ubuntu0.20.04.1 |
| mozilla | thunderbird | >= 0 < 1:115.6.0+build2-0ubuntu0.22.04.1 | 1:115.6.0+build2-0ubuntu0.22.04.1 |
| mozilla | thunderbird | >= unspecified < 115.6 | 115.6 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
osv4.3MEDIUM
OSV
thunderbird vulnerabilities
osv·2024-01-02·CVSS 4.3
CVE-2023-6857 [MEDIUM] thunderbird vulnerabilities
thunderbird vulnerabilities
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code.(CVE-2023-6857, CVE-2023-6858,
CVE-2023-6859, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864)
Marcus Brinkmann discovered that Thunderbird did not properly parse a PGP/MIME
payload that contains digitally signed text. An attacker could potentially
exploit this issue to spoof an email message. (CVE-2023-50762)
Marcus Brinkmann discovered that Thunderbird did not properly compare the
signature creation date with the message date an
GHSA
GHSA-63rr-fhmr-42fq: When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user
ghsa_unreviewed·2023-12-19
CVE-2023-50762 [MEDIUM] GHSA-63rr-fhmr-42fq: When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user
When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally signed text from a different context, such as a signed GIT commit, could be used to spoof an email message. This vulnerability affects Thunderbird < 115.6.
OSV
CVE-2023-50762: When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user
osv·2023-12-19·CVSS 4.3
CVE-2023-50762 [MEDIUM] CVE-2023-50762: When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user
When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally signed text from a different context, such as a signed GIT commit, could be used to spoof an email message. This vulnerability affects Thunderbird < 115.6.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2024-01-02·CVSS 4.3
CVE-2023-6859 [MEDIUM] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code.(CVE-2023-6857, CVE-2023-6858,
CVE-2023-6859, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864)
Marcus Brinkmann discovered that Thunderbird did not properly parse a PGP/MIME
payload that contains digitally signed text. An attacker could potentially
exploit this issue to spoof an email message. (CVE-2023-50762)
Marcus Brinkmann discovered that Thunderbird did not p
Red Hat
Mozilla: Truncated signed text was shown with a valid OpenPGP signature
vendor_redhat·2023-12-19·CVSS 4.3
CVE-2023-50762 [MEDIUM] CWE-347 Mozilla: Truncated signed text was shown with a valid OpenPGP signature
Mozilla: Truncated signed text was shown with a valid OpenPGP signature
When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally signed text from a different context, such as a signed GIT commit, could be used to spoof an email message. This vulnerability affects Thunderbird < 115.6.
The Mozilla Foundation Security Advisory: When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header
Debian
CVE-2023-50762: thunderbird - When processing a PGP/MIME payload that contains digitally signed text, the firs...
vendor_debian·2023·CVSS 4.3
CVE-2023-50762 [MEDIUM] CVE-2023-50762: thunderbird - When processing a PGP/MIME payload that contains digitally signed text, the firs...
When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally signed text from a different context, such as a signed GIT commit, could be used to spoof an email message. This vulnerability affects Thunderbird < 115.6.
Scope: local
bookworm: resolved (fixed in 1:115.6.0-1~deb12u1)
bullseye: resolved (fixed in 1:115.6.0-1~deb11u1)
forky: resolved (fixed in 1:115.6.0-1)
sid: resolved (fixed in 1:115.6.0-1)
trixie: resolved (fixed in 1:115.6.0-1)
Mozilla
Mozilla Foundation Security Advisory 2023-55: CVE-2023-50762
vendor_mozilla·CVSS 4.3
CVE-2023-50762 [MEDIUM] Mozilla Foundation Security Advisory 2023-55: CVE-2023-50762
Mozilla Foundation Security Advisory 2023-55
CVE: CVE-2023-50762
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 115.6
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugzilla.mozilla.org/show_bug.cgi?id=1862625https://lists.debian.org/debian-lts-announce/2023/12/msg00021.htmlhttps://www.debian.org/security/2023/dsa-5582https://www.mozilla.org/security/advisories/mfsa2023-55/https://bugzilla.mozilla.org/show_bug.cgi?id=1862625https://lists.debian.org/debian-lts-announce/2023/12/msg00021.htmlhttps://www.debian.org/security/2023/dsa-5582https://www.mozilla.org/security/advisories/mfsa2023-55/
2023-12-19
Published