{"containers": {"cna": {"affected": [{"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "68.8.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender email address that Thunderbird displays. This vulnerability affects Thunderbird < 68.8.0."}], "problemTypes": [{"descriptions": [{"description": "Sender Email Address Spoofing using encoded Unicode characters", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-12T19:30:13", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-18/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1617370"}, {"name": "USN-4373-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4373-1/"}, {"tags": ["x_refsource_MISC"], "url": "https://security.gentoo.org/glsa/202005-03"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2020-12397", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Thunderbird", "version": {"version_data": [{"version_affected": "<", "version_value": "68.8.0"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender email address that Thunderbird displays. This vulnerability affects Thunderbird < 68.8.0."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Sender Email Address Spoofing using encoded Unicode characters"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2020-18/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2020-18/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1617370", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1617370"}, {"name": "USN-4373-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4373-1/"}, {"name": "https://security.gentoo.org/glsa/202005-03", "refsource": "MISC", "url": "https://security.gentoo.org/glsa/202005-03"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:56:52.038Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-18/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1617370"}, {"name": "USN-4373-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4373-1/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security.gentoo.org/glsa/202005-03"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2020-12397", "datePublished": "2020-05-22T18:57:12", "dateReserved": "2020-04-28T00:00:00", "dateUpdated": "2024-08-04T11:56:52.038Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "E93B3D35-5D8E-4583-922F-D391CB7B992D", "versionEndExcluding": "68.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender email address that Thunderbird displays. This vulnerability affects Thunderbird < 68.8.0."}, {"lang": "es", "value": "Al codificar caracteres de espacio en blanco Unicode dentro del encabezado del correo electr\u00f3nico From, un atacante puede suplantar la direcci\u00f3n de correo electr\u00f3nico del remitente que despliega Thunderbird. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a 68.8.0."}], "id": "CVE-2020-12397", "lastModified": "2023-02-28T15:15:07.347", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-22T19:15:15.580", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1617370"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202005-03"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4373-1/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-18/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Ahmed Elsobky (@0xSobky) as the original reporter.", "affected_release": [{"advisory": "RHSA-2020:2049", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "thunderbird-0:68.8.0-1.el6_10", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2020-05-11T00:00:00Z"}, {"advisory": "RHSA-2020:2050", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:68.8.0-1.el7_8", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-05-11T00:00:00Z"}, {"advisory": "RHSA-2020:2046", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:68.8.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-05-11T00:00:00Z"}, {"advisory": "RHSA-2020:2048", "cpe": "cpe:/a:redhat:rhel_e4s:8.0", "package": "thunderbird-0:68.8.0-1.el8_0", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-05-11T00:00:00Z"}, {"advisory": "RHSA-2020:2047", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "thunderbird-0:68.8.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2020-05-11T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Sender Email Address Spoofing using encoded Unicode characters", "id": "1832565", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1832565"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-172", "details": ["By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender email address that Thunderbird displays. This vulnerability affects Thunderbird < 68.8.0."], "name": "CVE-2020-12397", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 5"}], "public_date": "2020-05-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-12397\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-12397\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2020-18/#CVE-2020-12397"], "threat_severity": "Low", "upstream_fix": "thunderbird 68.8.0"}