CVE-2022-31742

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 91.10 Firefox versions prior to 101 Firefox ESR versions prior to 91.10

Description The issue is related to a timing attack that could be exploited by sending a large number of allowCredential entries, allowing an attacker to detect the difference between invalid key handles and cross-origin key handles. This could lead to cross-origin account linking, violating WebAuthn goals. The vulnerability is also related to the implementation of the CORS mechanism in browsers, which could allow a remote attacker to bypass security restrictions and gain unauthorized access to protected information.

Recommendations For Thunderbird versions prior to 91.10, update to version 91.10 or later. For Firefox versions prior to 101, update to version 101 or later. For Firefox ESR versions prior to 91.10, update to version 91.10 or later.