{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-1834", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "dateUpdated": "2024-08-03T00:17:00.629Z", "dateReserved": "2022-05-23T00:00:00", "datePublished": "2022-12-22T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2022-12-22T00:00:00"}, "descriptions": [{"lang": "en", "value": "When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown with an arbitrary sender email address chosen by the attacker. If the sender name started with a false email address, followed by many Braille space characters, the attacker's email address was not visible. Because Thunderbird compared the invisible sender address with the signature's email address, if the signing key or certificate was accepted by Thunderbird, the email was shown as having a valid digital signature. This vulnerability affects Thunderbird < 91.10."}], "affected": [{"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"version": "unspecified", "lessThan": "91.10", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-22/"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1767816"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Braille space character caused incorrect sender email to be shown for a digitally signed email"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:17:00.629Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-22/", "tags": ["x_transferred"]}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1767816", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A62DB30-D938-4ADD-BF43-9BBC56A6B8C0", "versionEndExcluding": "91.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown with an arbitrary sender email address chosen by the attacker. If the sender name started with a false email address, followed by many Braille space characters, the attacker's email address was not visible. Because Thunderbird compared the invisible sender address with the signature's email address, if the signing key or certificate was accepted by Thunderbird, the email was shown as having a valid digital signature. This vulnerability affects Thunderbird < 91.10."}, {"lang": "es", "value": "Al mostrar el remitente de un correo electr\u00f3nico y el nombre del remitente conten\u00eda el car\u00e1cter de espacio en blanco del patr\u00f3n Braille varias veces, Thunderbird habr\u00eda mostrado todos los espacios. Un atacante podr\u00eda haberlo utilizado para enviar un mensaje de correo electr\u00f3nico con su firma digital, que se mostraba con una direcci\u00f3n de correo electr\u00f3nico de remitente arbitraria elegida por el atacante. Si el nombre del remitente comenzaba con una direcci\u00f3n de correo electr\u00f3nico falsa, seguida de muchos caracteres de espacio en Braille, la direcci\u00f3n de correo electr\u00f3nico del atacante no era visible. Debido a que Thunderbird compar\u00f3 la direcci\u00f3n del remitente invisible con la direcci\u00f3n de correo electr\u00f3nico de la firma, si Thunderbird aceptaba la clave de firma o el certificado, se mostraba que el correo electr\u00f3nico ten\u00eda una firma digital v\u00e1lida. Esta vulnerabilidad afecta a Thunderbird &lt; 91.10."}], "id": "CVE-2022-1834", "lastModified": "2024-11-21T06:41:34.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2022-12-22T20:15:13.513", "references": [{"source": "[email protected]", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1767816"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-22/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1767816"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-22/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "[email protected]", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:4891", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:91.10.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-06-03T00:00:00Z"}, {"advisory": "RHSA-2022:4887", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:91.10.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-06-03T00:00:00Z"}, {"advisory": "RHSA-2022:4888", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "thunderbird-0:91.10.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-06-03T00:00:00Z"}, {"advisory": "RHSA-2022:4890", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "thunderbird-0:91.10.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-06-03T00:00:00Z"}, {"advisory": "RHSA-2022:4889", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "thunderbird-0:91.10.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-06-02T00:00:00Z"}, {"advisory": "RHSA-2022:4892", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:91.10.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-06-03T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Braille space character caused incorrect sender email to be shown for a digitally signed email", "id": "2092416", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092416"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-349", "details": ["When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown with an arbitrary sender email address chosen by the attacker. If the sender name started with a false email address, followed by many Braille space characters, the attacker's email address was not visible. Because Thunderbird compared the invisible sender address with the signature's email address, if the signing key or certificate was accepted by Thunderbird, the email was shown as having a valid digital signature. This vulnerability affects Thunderbird < 91.10.", "A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of when displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird displays all spaces. This flaw allows an attacker to send an email message with the attacker's digital signature that shows an arbitrary sender email address chosen by the attacker. If the sender's name started with a false email address, followed by many Braille space characters, the attacker's email address was not visible. Because Thunderbird compared the invisible sender address with the signature's email address, if Thunderbird accepted the signing key or certificate, the email was shown as having a valid digital signature."], "name": "CVE-2022-1834", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2022-05-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-1834\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1834"], "threat_severity": "Important", "upstream_fix": "thunderbird 91.10"}