CVE-2023-50761

2023-12-1914:15:07

Debian Security Bug Tracker

security-tracker.debian.org

s/mime

email signature

thunderbird

validation

vulnerability

date mismatch

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

19.4%

JSON

The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare the signature creation date with the message date and time, and displayed a valid signature despite a date or time mismatch. This could be used to give recipients the impression that a message was sent at a different date or time. This vulnerability affects Thunderbird < 115.6.

OSVersionArchitecturePackageVersionFilename
Debian12allthunderbird< 1:115.6.0-1~deb12u1thunderbird_1:115.6.0-1~deb12u1_all.deb
Debian11allthunderbird< 1:115.6.0-1~deb11u1thunderbird_1:115.6.0-1~deb11u1_all.deb
Debian999allthunderbird< 1:115.6.0-1thunderbird_1:115.6.0-1_all.deb
Debian13allthunderbird< 1:115.6.0-1thunderbird_1:115.6.0-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	thunderbird	< 1:115.6.0-1~deb12u1	thunderbird_1:115.6.0-1~deb12u1_all.deb
Debian	11	all	thunderbird	< 1:115.6.0-1~deb11u1	thunderbird_1:115.6.0-1~deb11u1_all.deb
Debian	999	all	thunderbird	< 1:115.6.0-1	thunderbird_1:115.6.0-1_all.deb
Debian	13	all	thunderbird	< 1:115.6.0-1	thunderbird_1:115.6.0-1_all.deb