Main Vulnerability Database Vulnerabilities #VU61943

#VU61943 Security features bypass in Mozilla Thunderbird - CVE-2022-1197

Published: April 6, 2022

Vulnerability identifier: #VU61943

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-1197

CWE-ID: CWE-254

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Mozilla Thunderbird

Software vendor:
Mozilla

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists in OpenPGP revocation mechanisms, related to compromised keys. When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. A remote attacker can sign messages with the revoked key and these messages will be displayed as valid and genuine.

Remediation

Install updates from vendor's website.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/

#VU61943 Security features bypass in Mozilla Thunderbird - CVE-2022-1197

Description

Remediation

External links

Please verify you're human