PT-2022-3329 · Mozilla+9 · Thunderbird+9

Nickolay Olshevsky

·

Published

2022-06-28

·

Updated

2024-06-15

·

CVE-2022-2226

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 102 Thunderbird versions prior to 91.11
Description The issue is related to the lack of matching between the date of an OpenPGP digital signature and the date of an email. When an email with a digital signature is displayed, the email's date is shown. If the dates are different, Thunderbird does not report the email as having an invalid signature. This could allow a remote attacker to perform a replay attack, where an old email with old contents is resent at a later time, making the victim believe the statements in the email are current.
Recommendations For Thunderbird versions prior to 102, update to version 102 or later to resolve the issue. For Thunderbird versions prior to 91.11, update to version 91.11 or later to resolve the issue.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-357CWE-294

Related Identifiers

ALSA-2022:5482
ALT-PU-2022-2515
ALT-PU-2022-2931
ALT-PU-2023-1137
ALT-PU-2023-4335
BDU:2022-04077
CESA-2022_5470
CESA-2022_5480
CVE-2022-2226
DSA-5175-1
MGASA-2022-0253
OPENSUSE-SU-2022_2320-1
OPENSUSE-SU-2022_3281-1
OPENSUSE-SU-2024:12161-1
RHSA-2022:5470
RHSA-2022:5473
RHSA-2022:5475
RHSA-2022:5478
RHSA-2022:5480
RHSA-2022:5482
RHSA-2022_5470
RHSA-2022_5480
RHSA-2022_5482
RLSA-2022:5470
SUSE-SU-2022:2320-1
SUSE-SU-2022:3281-1
USN-5512-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Rocky Linux
Suse
Thunderbird
Ubuntu