{"containers": {"cna": {"affected": [{"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "60.5.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1."}], "problemTypes": [{"descriptions": [{"description": "S/MIME signature spoofing", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-03T18:06:06", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"name": "openSUSE-SU-2019:1162", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00043.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-06/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1507218"}, {"name": "[oss-security] 20190430 Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/04/30/4"}, {"name": "20190430 OpenPGP and S/MIME signature forgery attacks in multiple email clients", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Apr/38"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html"}, {"name": "RHSA-2019:1144", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1144"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2018-18509", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Thunderbird", "version": {"version_data": [{"version_affected": "<", "version_value": "60.5.1"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "S/MIME signature spoofing"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2019:1162", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00043.html"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2019-06/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-06/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1507218", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1507218"}, {"name": "[oss-security] 20190430 Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/04/30/4"}, {"name": "20190430 OpenPGP and S/MIME signature forgery attacks in multiple email clients", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Apr/38"}, {"name": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html"}, {"name": "RHSA-2019:1144", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1144"}, {"name": "https://github.com/RUB-NDS/Johnny-You-Are-Fired", "refsource": "MISC", "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired"}, {"name": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf", "refsource": "MISC", "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T11:08:21.996Z"}, "title": "CVE Program Container", "references": [{"name": "openSUSE-SU-2019:1162", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00043.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-06/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1507218"}, {"name": "[oss-security] 20190430 Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2019/04/30/4"}, {"name": "20190430 OpenPGP and S/MIME signature forgery attacks in multiple email clients", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Apr/38"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html"}, {"name": "RHSA-2019:1144", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1144"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2018-18509", "datePublished": "2019-04-26T16:13:22", "dateReserved": "2018-10-19T00:00:00", "dateUpdated": "2024-08-05T11:08:21.996Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C51200B-CE35-47CB-89C2-185BC159A0B4", "versionEndExcluding": "60.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1."}, {"lang": "es", "value": "Un fallo durante la comprobaci\u00f3n de ciertas firmas S/MIME produce correos electr\u00f3nicos que se mostrar\u00e1n en Thunderbird con una firma digital v\u00e1lida, incluso si el contenido del mensaje mostrado no est\u00e1 cubierto por la firma. El fallo le permite a un atacante reutilizar una firma S/MIME v\u00e1lida para poder elaborar un mensaje de correo electr\u00f3nico con contenido arbitrario. Esta vulnerabilidad afecta a Thunderbird versiones <60.5.1."}], "id": "CVE-2018-18509", "lastModified": "2019-06-03T19:29:01.390", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-26T17:29:00.243", "references": [{"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00043.html"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html"}, {"source": "security@mozilla.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Apr/38"}, {"source": "security@mozilla.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/04/30/4"}, {"source": "security@mozilla.org", "url": "https://access.redhat.com/errata/RHSA-2019:1144"}, {"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1507218"}, {"source": "security@mozilla.org", "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired"}, {"source": "security@mozilla.org", "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-06/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2019:0680", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "thunderbird-0:60.6.1-1.el6_10", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2019-03-28T00:00:00Z"}, {"advisory": "RHSA-2019:0681", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:60.6.1-1.el7_6", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-03-28T00:00:00Z"}, {"advisory": "RHSA-2019:1144", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:60.6.1-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-05-13T00:00:00Z"}], "bugzilla": {"description": "thunderbird: flaw in verification of S/MIME signature resulting in signature spoofing", "id": "1677613", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1677613"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-451->CWE-347", "details": ["A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1."], "name": "CVE-2018-18509", "public_date": "2019-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-18509\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-18509"], "threat_severity": "Moderate", "upstream_fix": "thunderbird 60.5.1"}