PT-2023-2800 · Mozilla+9 · Thunderbird+9

Paul Menzel

·

Published

2023-04-11

·

Updated

2025-01-10

·

CVE-2023-0547

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Thunderbird versions 68 through 102.9.1 Thunderbird versions prior to 102.10
Description The issue is related to the implementation of the S/MIME protocol in the Thunderbird email client, specifically with errors in resource release. When sending S/MIME encrypted email, the OCSP revocation status of recipient certificates was not checked, and revoked certificates would be accepted. This could allow a remote attacker to bypass existing security restrictions and gain unauthorized access to protected information.
Recommendations For Thunderbird versions 68 through 102.9.1, update to version 102.10 or later to resolve the issue. For Thunderbird versions prior to 102.10, update to version 102.10 or later to resolve the issue. As a temporary workaround, consider disabling S/MIME encryption until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation.

Fix

Improper Certificate Validation

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-254CWE-295CWE-264CWE-20

Related Identifiers

ALSA-2023:1802
ALSA-2023:1809
ALT-PU-2023-1648
ALT-PU-2023-1765
ALT-PU-2023-1783
ALT-PU-2023-4366
BDU:2023-02675
BDU:2023-02696
BDU:2023-02698
CESA-2023_1802
CESA-2023_1806
CVE-2023-0547
DLA-3400-1
DSA-5392-1
MGASA-2023-0147
OPENSUSE-SU-2024:12852-1
RHSA-2023:1802
RHSA-2023:1803
RHSA-2023:1804
RHSA-2023:1805
RHSA-2023:1806
RHSA-2023:1809
RHSA-2023:1810
RHSA-2023:1811
RHSA-2023_1802
RHSA-2023_1806
RHSA-2023_1809
RLSA-2023:1802
RLSA-2023:1809
SUSE-SU-2023:2064-1
USN-6015-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Thunderbird
Ubuntu