CVE-2022-2226 - OpenCVE

Vendors	Products
Mozilla	Thunderbird

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1775441	Issue Tracking Permissions Required Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2022-26/	Vendor Advisory

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-2226", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "dateUpdated": "2022-12-22T00:00:00", "dateReserved": "2022-06-27T00:00:00", "datePublished": "2022-12-22T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2022-12-22T00:00:00"}, "descriptions": [{"lang": "en", "value": "An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email's date will be shown. If the dates were different, then Thunderbird didn't report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature's date roughly matches the displayed date of the email. This vulnerability affects Thunderbird < 102 and Thunderbird < 91.11."}], "affected": [{"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"version": "unspecified", "lessThan": "102", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThan": "91.11", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-26/"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1775441"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "An email with a mismatching OpenPGP signature date was accepted as valid"}]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "897D6E98-A21E-4D5A-A4E8-64073F667C0A", "versionEndExcluding": "91.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:101.0:*:*:*:*:*:*:*", "matchCriteriaId": "A216EBB0-80B9-4D77-8D82-6E073A21E2EF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email's date will be shown. If the dates were different, then Thunderbird didn't report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature's date roughly matches the displayed date of the email. This vulnerability affects Thunderbird < 102 and Thunderbird < 91.11."}, {"lang": "es", "value": "Una firma digital OpenPGP incluye informaci\u00f3n sobre la fecha en que se cre\u00f3 la firma. Al mostrar un correo electr\u00f3nico que contiene una firma digital, se mostrar\u00e1 la fecha del correo electr\u00f3nico. Si las fechas eran diferentes, entonces Thunderbird no inform\u00f3 que el correo electr\u00f3nico tuviera una firma no v\u00e1lida. Si un atacante realiz\u00f3 un ataque de repetici\u00f3n, en el que un correo electr\u00f3nico antiguo con contenido antiguo se reenv\u00eda m\u00e1s adelante, podr\u00eda hacer que la v\u00edctima crea que las declaraciones en el correo electr\u00f3nico son actuales. Las versiones fijas de Thunderbird requerir\u00e1n que la fecha de la firma coincida aproximadamente con la fecha mostrada en el correo electr\u00f3nico. Esta vulnerabilidad afecta a Thunderbird < 102 y Thunderbird < 91.11."}], "id": "CVE-2022-2226", "lastModified": "2023-01-05T13:52:11.617", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-22T20:15:27.540", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1775441"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-26/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-294"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

JSON object

JSON object

JSON object