CVE-2022-2226

An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email's date will be shown. If the dates were different, then Thunderbird didn't report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature's date roughly matches the displayed date of the email. This vulnerability affects Thunderbird < 102 and Thunderbird < 91.11.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1775441	Issue Tracking Permissions Required Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2022-26/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:thunderbird::::::::
	cpe:2.3:a:mozilla:thunderbird:101.0:::::::*

History

05 Jan 2023, 13:52

Type	Values Removed	Values Added
References	~~(MISC) https://www.mozilla.org/security/advisories/mfsa2022-26/ -~~	(MISC) https://www.mozilla.org/security/advisories/mfsa2022-26/ - Vendor Advisory
References	~~(MISC) https://bugzilla.mozilla.org/show_bug.cgi?id=1775441 -~~	(MISC) https://bugzilla.mozilla.org/show_bug.cgi?id=1775441 - Issue Tracking, Permissions Required, Vendor Advisory
First Time		Mozilla thunderbird Mozilla
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CPE		cpe:2.3:a:mozilla:thunderbird:101.0:::::::* cpe:2.3:a:mozilla:thunderbird::::::::
CWE		CWE-294

22 Dec 2022, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-12-22 20:15

Updated : 2023-12-10 14:48

NVD link : CVE-2022-2226

Mitre link : CVE-2022-2226

CVE.ORG link : CVE-2022-2226

JSON object : View

Products Affected

mozilla

thunderbird

CWE

CWE-294

Authentication Bypass by Capture-replay

{"id": "CVE-2022-2226", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2022-12-22T20:15:27.540", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1775441", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-26/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-294"}]}], "descriptions": [{"lang": "en", "value": "An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email's date will be shown. If the dates were different, then Thunderbird didn't report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature's date roughly matches the displayed date of the email. This vulnerability affects Thunderbird < 102 and Thunderbird < 91.11."}, {"lang": "es", "value": "Una firma digital OpenPGP incluye informaci\u00f3n sobre la fecha en que se cre\u00f3 la firma. Al mostrar un correo electr\u00f3nico que contiene una firma digital, se mostrar\u00e1 la fecha del correo electr\u00f3nico. Si las fechas eran diferentes, entonces Thunderbird no inform\u00f3 que el correo electr\u00f3nico tuviera una firma no v\u00e1lida. Si un atacante realiz\u00f3 un ataque de repetici\u00f3n, en el que un correo electr\u00f3nico antiguo con contenido antiguo se reenv\u00eda m\u00e1s adelante, podr\u00eda hacer que la v\u00edctima crea que las declaraciones en el correo electr\u00f3nico son actuales. Las versiones fijas de Thunderbird requerir\u00e1n que la fecha de la firma coincida aproximadamente con la fecha mostrada en el correo electr\u00f3nico. Esta vulnerabilidad afecta a Thunderbird < 102 y Thunderbird < 91.11."}], "lastModified": "2023-01-05T13:52:11.617", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "897D6E98-A21E-4D5A-A4E8-64073F667C0A", "versionEndExcluding": "91.11"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:101.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A216EBB0-80B9-4D77-8D82-6E073A21E2EF"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}