CVE-2023-50762

2023-12-1914:15:07

Debian Security Bug Tracker

security-tracker.debian.org

pgp/mime

digitally signed

email header

git commit

spoofing

thunderbird

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

19.4%

JSON

When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally signed text from a different context, such as a signed GIT commit, could be used to spoof an email message. This vulnerability affects Thunderbird < 115.6.

OSVersionArchitecturePackageVersionFilename
Debian12allthunderbird< 1:115.6.0-1~deb12u1thunderbird_1:115.6.0-1~deb12u1_all.deb
Debian11allthunderbird< 1:115.6.0-1~deb11u1thunderbird_1:115.6.0-1~deb11u1_all.deb
Debian999allthunderbird< 1:115.6.0-1thunderbird_1:115.6.0-1_all.deb
Debian13allthunderbird< 1:115.6.0-1thunderbird_1:115.6.0-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	thunderbird	< 1:115.6.0-1~deb12u1	thunderbird_1:115.6.0-1~deb12u1_all.deb
Debian	11	all	thunderbird	< 1:115.6.0-1~deb11u1	thunderbird_1:115.6.0-1~deb11u1_all.deb
Debian	999	all	thunderbird	< 1:115.6.0-1	thunderbird_1:115.6.0-1_all.deb
Debian	13	all	thunderbird	< 1:115.6.0-1	thunderbird_1:115.6.0-1_all.deb