{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-2226", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "dateUpdated": "2024-08-03T00:32:09.375Z", "dateReserved": "2022-06-27T00:00:00", "datePublished": "2022-12-22T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2022-12-22T00:00:00"}, "descriptions": [{"lang": "en", "value": "An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email's date will be shown. If the dates were different, then Thunderbird didn't report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature's date roughly matches the displayed date of the email. This vulnerability affects Thunderbird < 102 and Thunderbird < 91.11."}], "affected": [{"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"version": "unspecified", "lessThan": "102", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThan": "91.11", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-26/"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1775441"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "An email with a mismatching OpenPGP signature date was accepted as valid"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:32:09.375Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-26/", "tags": ["x_transferred"]}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1775441", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "897D6E98-A21E-4D5A-A4E8-64073F667C0A", "versionEndExcluding": "91.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:101.0:*:*:*:*:*:*:*", "matchCriteriaId": "A216EBB0-80B9-4D77-8D82-6E073A21E2EF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email's date will be shown. If the dates were different, then Thunderbird didn't report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature's date roughly matches the displayed date of the email. This vulnerability affects Thunderbird < 102 and Thunderbird < 91.11."}, {"lang": "es", "value": "Una firma digital OpenPGP incluye informaci\u00f3n sobre la fecha en que se cre\u00f3 la firma. Al mostrar un correo electr\u00f3nico que contiene una firma digital, se mostrar\u00e1 la fecha del correo electr\u00f3nico. Si las fechas eran diferentes, entonces Thunderbird no inform\u00f3 que el correo electr\u00f3nico tuviera una firma no v\u00e1lida. Si un atacante realiz\u00f3 un ataque de repetici\u00f3n, en el que un correo electr\u00f3nico antiguo con contenido antiguo se reenv\u00eda m\u00e1s adelante, podr\u00eda hacer que la v\u00edctima crea que las declaraciones en el correo electr\u00f3nico son actuales. Las versiones fijas de Thunderbird requerir\u00e1n que la fecha de la firma coincida aproximadamente con la fecha mostrada en el correo electr\u00f3nico. Esta vulnerabilidad afecta a Thunderbird &lt; 102 y Thunderbird &lt; 91.11."}], "id": "CVE-2022-2226", "lastModified": "2023-01-05T13:52:11.617", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-22T20:15:27.540", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1775441"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-26/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-294"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Nickolay Olshevsky as the original reporter.", "affected_release": [{"advisory": "RHSA-2022:5480", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:91.11.0-2.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-07-01T00:00:00Z"}, {"advisory": "RHSA-2022:5470", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:91.11.0-2.el8_6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-06-30T00:00:00Z"}, {"advisory": "RHSA-2022:5478", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "thunderbird-0:91.11.0-2.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-06-30T00:00:00Z"}, {"advisory": "RHSA-2022:5475", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "thunderbird-0:91.11.0-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-07-01T00:00:00Z"}, {"advisory": "RHSA-2022:5473", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "thunderbird-0:91.11.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-06-30T00:00:00Z"}, {"advisory": "RHSA-2022:5482", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:91.11.0-2.el9_0", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-07-01T00:00:00Z"}], "bugzilla": {"description": "Mozilla: An email with a mismatching OpenPGP signature date was accepted as valid", "id": "2102204", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2102204"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-357", "details": ["An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email's date will be shown. If the dates were different, then Thunderbird didn't report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature's date roughly matches the displayed date of the email. This vulnerability affects Thunderbird < 102 and Thunderbird < 91.11.", "A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this issue of when an OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, it will show the email's date. If the dates were different, Thunderbird didn't report the email as having an invalid signature. If an attacker performs a replay attack, in which an old email with old contents is present at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature's date roughly matches the displayed date of the email."], "name": "CVE-2022-2226", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2022-06-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-2226\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2226\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-26/#CVE-2022-2226"], "threat_severity": "Moderate", "upstream_fix": "thunderbird 91.11, thunderbird 102"}