CVE-2022-1197

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 91.8

Description The issue is related to errors when updating the OpenPGP digital signature, which can allow a remote attacker to perform a spoofing attack. Specifically, when importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key, keeping it as non-revoked.

Recommendations For versions prior to 91.8, update to version 91.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of OpenPGP digital signatures until a patch is available. Avoid importing revoked keys that specify key compromise as the revocation reason in the affected versions.

Exploit

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-254CWE-295

Related Identifiers

ALSA-2022:1301

ALT-PU-2022-1941

ALT-PU-2022-1951

ALT-PU-2022-1983

ALT-PU-2022-2053

BDU:2022-04617

CESA-2022_1301

CVE-2022-1197

DLA-2978-1

DSA-5118-1

MGASA-2022-0157

OPENSUSE-SU-2022_1176-1

RHSA-2022:1301

RHSA-2022:1302

RHSA-2022:1303

RHSA-2022:1305

RHSA-2022:1326

RHSA-2022_1301

RHSA-2022_1302

RLSA-2022:1301

SUSE-SU-2022:1176-1

USN-5393-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Red Hat

Rocky Linux

Suse

Thunderbird

Ubuntu

CVE-2022-1197

Weakness Enumeration

Related Identifiers

Affected Products

References · 74