Vulnerability Details : CVE-2022-1834
When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown with an arbitrary sender email address chosen by the attacker. If the sender name started with a false email address, followed by many Braille space characters, the attacker's email address was not visible. Because Thunderbird compared the invisible sender address with the signature's email address, if the signing key or certificate was accepted by Thunderbird, the email was shown as having a valid digital signature. This vulnerability affects Thunderbird < 91.10.
Products affected by CVE-2022-1834
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-1834
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-1834
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2022-1834
-
The product does not validate, or incorrectly validates, a certificate.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-1834
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1767816
Access DeniedIssue Tracking;Permissions Required;Vendor Advisory
-
https://www.mozilla.org/security/advisories/mfsa2022-22/
Security Vulnerabilities fixed in Thunderbird 91.10 — MozillaVendor Advisory
Jump to