CVE-2022-1834

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 91.10

Description The issue arises when displaying the sender of an email, specifically if the sender name contains the Braille Pattern Blank space character multiple times. This could be exploited by an attacker to send an email with their digital signature, making it appear as if it came from an arbitrary sender email address chosen by the attacker. If the sender name starts with a false email address followed by many Braille space characters, the attacker's email address remains invisible. Thunderbird compares the invisible sender address with the signature's email address, and if the signing key or certificate is accepted, the email is shown as having a valid digital signature.

Recommendations For Thunderbird versions prior to 91.10, update to version 91.10 or later to resolve the issue. As a temporary workaround, consider disabling the display of sender names that contain special characters, such as the Braille Pattern Blank space character, until a patch is available. Restrict access to emails with suspicious sender names to minimize the risk of exploitation. Avoid relying solely on digital signatures for email authentication until the issue is resolved. At the moment, there is no other information about additional mitigation measures.