Vulnerability Name:

CVE-2022-2226 (CCN-229840)

Assigned:2022-06-28
Published:2022-06-28
Updated:2023-01-05
Summary:An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email's date will be shown. If the dates were different, then Thunderbird didn't report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature's date roughly matches the displayed date of the email. This vulnerability affects Thunderbird < 102 and Thunderbird < 91.11.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
6.1 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-357
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2022-2226

Source: security@mozilla.org
Type: Issue Tracking, Permissions Required, Vendor Advisory
security@mozilla.org

Source: XF
Type: UNKNOWN
thunderbird-cve20222226-sec-bypass(229840)

Source: CCN
Type: Mend Vulnerability Database
CVE-2022-2226

Source: CCN
Type: Mozilla Foundation Security Advisory 2022-26
Security Vulnerabilities fixed in Thunderbird 91.11 and Thunderbird 102

Source: security@mozilla.org
Type: Vendor Advisory
security@mozilla.org

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*
    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*
    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*
    • Configuration RedHat 7:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*
    • Configuration RedHat 8:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:759
    P
    		Security update for MozillaThunderbird (Important)
    2022-09-15
    oval:org.opensuse.security:def:562
    P
    		Security update for MozillaThunderbird (Important)
    2022-07-07
    oval:org.opensuse.security:def:3791
    P
    		Security update for MozillaThunderbird (Important)
    2022-07-07
    oval:org.opensuse.security:def:95371
    P
    		Security update for MozillaThunderbird (Important)
    2022-07-07
    oval:org.opensuse.security:def:95424
    P
    		Security update for MozillaThunderbird (Important)
    2022-07-07
    oval:org.opensuse.security:def:3741
    P
    		Security update for MozillaThunderbird (Important)
    2022-07-07
    oval:com.redhat.rhsa:def:20225480
    P
    		RHSA-2022:5480: thunderbird security update (Important)
    2022-07-01
    oval:com.redhat.rhsa:def:20225482
    P
    		RHSA-2022:5482: thunderbird security update (Important)
    2022-07-01
    oval:com.redhat.rhsa:def:20225470
    P
    		RHSA-2022:5470: thunderbird security update (Important)
    2022-06-30
    BACK