CVE-2023-50762

When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally signed text from a different context, such as a signed GIT commit, could be used to spoof an email message. This vulnerability affects Thunderbird < 115.6.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1862625	Issue Tracking Permissions Required
https://lists.debian.org/debian-lts-announce/2023/12/msg00021.html
https://www.debian.org/security/2023/dsa-5582	Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2023-55/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:11.0:::::::*
	cpe:2.3:o:debian:debian_linux:12.0:::::::*

History

No history.

Information

Published : 2023-12-19 14:15

Updated : 2023-12-29 13:15

NVD link : CVE-2023-50762

Mitre link : CVE-2023-50762

CVE.ORG link : CVE-2023-50762

JSON object : View

Products Affected

debian

debian_linux

mozilla

thunderbird

CWE

NVD-CWE-noinfo

{"id": "CVE-2023-50762", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2023-12-19T14:15:07.093", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1862625", "tags": ["Issue Tracking", "Permissions Required"], "source": "security@mozilla.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00021.html", "source": "security@mozilla.org"}, {"url": "https://www.debian.org/security/2023/dsa-5582", "tags": ["Third Party Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-55/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally signed text from a different context, such as a signed GIT commit, could be used to spoof an email message. This vulnerability affects Thunderbird < 115.6."}, {"lang": "es", "value": "Al procesar un payload PGP/MIME que contiene texto firmado digitalmente, el primer p\u00e1rrafo del texto nunca se mostr\u00f3 al usuario. Esto se debe a que el texto se interpret\u00f3 como un mensaje MIME y el primer p\u00e1rrafo siempre se trat\u00f3 como una secci\u00f3n de encabezado de correo electr\u00f3nico. Un texto firmado digitalmente de un contexto diferente, como un commit GIT firmada, podr\u00eda usarse para falsificar un mensaje de correo electr\u00f3nico. Esta vulnerabilidad afecta a Thunderbird < 115.6."}], "lastModified": "2023-12-29T13:15:08.577", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1856451B-B03F-4BF2-AEFE-BF66D82D9E78", "versionEndExcluding": "115.6"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}, {"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}