CVE-2018-18509medium
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1.
References
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00043.html
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html
http://seclists.org/fulldisclosure/2019/Apr/38
http://www.openwall.com/lists/oss-security/2019/04/30/4
https://access.redhat.com/errata/RHSA-2019:1144
https://bugzilla.mozilla.org/show_bug.cgi?id=1507218
https://github.com/RUB-NDS/Johnny-You-Are-Fired
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf
Details
Source: MITRE
Published: 2019-04-26
Updated: 2019-06-03
Type: CWE-347
Risk Information
CVSS v2
Base Score: 5
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Impact Score: 2.9
Exploitability Score: 10
Severity: MEDIUM
CVSS v3
Base Score: 5.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Impact Score: 1.4
Exploitability Score: 3.9
Severity: MEDIUM
Vulnerable Software
Configuration 1
OR
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 127579 | Oracle Linux 8 : thunderbird (ELSA-2019-1144) | Nessus | Oracle Linux Local Security Checks | critical |
| 127459 | NewStart CGSL MAIN 4.05 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0169) | Nessus | NewStart CGSL Local Security Checks | critical |
| 127319 | NewStart CGSL MAIN 4.06 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0095) | Nessus | NewStart CGSL Local Security Checks | critical |
| 127257 | NewStart CGSL CORE 5.04 / MAIN 5.04 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0062) | Nessus | NewStart CGSL Local Security Checks | critical |
| 124845 | RHEL 8 : thunderbird (RHSA-2019:1144) | Nessus | Red Hat Local Security Checks | critical |
| 123817 | openSUSE Security Update : MozillaThunderbird (openSUSE-2019-1162) | Nessus | SuSE Local Security Checks | critical |
| 123581 | GLSA-201904-07 : Mozilla Thunderbird and Firefox: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | critical |
| 123562 | CentOS 7 : thunderbird (CESA-2019:0681) | Nessus | CentOS Local Security Checks | critical |
| 123561 | CentOS 6 : thunderbird (CESA-2019:0680) | Nessus | CentOS Local Security Checks | critical |
| 123488 | RHEL 7 : thunderbird (RHSA-2019:0681) | Nessus | Red Hat Local Security Checks | critical |
| 123487 | RHEL 6 : thunderbird (RHSA-2019:0680) | Nessus | Red Hat Local Security Checks | critical |
| 123485 | Oracle Linux 7 : thunderbird (ELSA-2019-0681) | Nessus | Oracle Linux Local Security Checks | critical |
| 123484 | Oracle Linux 6 : thunderbird (ELSA-2019-0680) | Nessus | Oracle Linux Local Security Checks | critical |
| 122493 | openSUSE Security Update : MozillaThunderbird (openSUSE-2019-251) | Nessus | SuSE Local Security Checks | critical |
| 122482 | Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : Thunderbird vulnerabilities (USN-3897-1) | Nessus | Ubuntu Local Security Checks | critical |
| 122470 | openSUSE Security Update : MozillaThunderbird (openSUSE-2019-250) | Nessus | SuSE Local Security Checks | high |
| 122402 | Mozilla Thunderbird < 60.5.1 | Nessus | Windows | high |
| 122401 | Mozilla Thunderbird < 60.5.1 | Nessus | MacOS X Local Security Checks | high |
| 122269 | Debian DSA-4392-1 : thunderbird - security update | Nessus | Debian Local Security Checks | critical |
| 122263 | Debian DLA-1678-1 : thunderbird security update | Nessus | Debian Local Security Checks | critical |