中危 redhat_7 thunderbird 对危险操作的ui警示不充分

CVE编号

CVE-2022-2226

利用情况

暂无

补丁情况

官方补丁

披露时间

2022-06-28
漏洞描述
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this issue of when an OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, it will show the email's date. If the dates were different, Thunderbird didn't report the email as having an invalid signature. If an attacker performs a replay attack, in which an old email with old contents is present at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature's date roughly matches the displayed date of the email.
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 mozilla thunderbird * Up to
(excluding)
91.11
运行在以下环境
应用 mozilla thunderbird 101.0 -
运行在以下环境
系统 alma_linux_9 thunderbird * Up to
(excluding)
91.11.0-2.el9_0.alma
运行在以下环境
系统 alpine_3.16 thunderbird * Up to
(excluding)
91.11.0-r0
运行在以下环境
系统 alpine_3.17 thunderbird * Up to
(excluding)
102.0-r0
运行在以下环境
系统 alpine_3.18 thunderbird * Up to
(excluding)
102.0-r0
运行在以下环境
系统 alpine_3.19 thunderbird * Up to
(excluding)
102.0-r0
运行在以下环境
系统 amazon_2 thunderbird * Up to
(excluding)
91.11.0-2.amzn2.0.1
运行在以下环境
系统 anolis_os_7 thunderbird * Up to
(excluding)
91.11.0-2.0.1
运行在以下环境
系统 anolis_os_8 thunderbird * Up to
(excluding)
91.11.0-2.0.1
运行在以下环境
系统 centos_7 thunderbird * Up to
(excluding)
91.11.0-2.el7.centos
运行在以下环境
系统 debian_10 thunderbird * Up to
(excluding)
91.11.0-1~deb10u1
运行在以下环境
系统 debian_11 thunderbird * Up to
(excluding)
91.11.0-1~deb11u1
运行在以下环境
系统 debian_12 thunderbird * Up to
(excluding)
91.11.0-1
运行在以下环境
系统 opensuse_Leap_15.3 MozillaThunderbird * Up to
(excluding)
91.11.0-150200.8.76.1
运行在以下环境
系统 opensuse_Leap_15.4 MozillaThunderbird * Up to
(excluding)
91.11.0-150200.8.76.1
运行在以下环境
系统 oracle_7 thunderbird * Up to
(excluding)
91.11.0-2.0.1.el7_9
运行在以下环境
系统 oracle_8 thunderbird * Up to
(excluding)
91.11.0-2.0.1.el8_6
运行在以下环境
系统 oracle_9 thunderbird * Up to
(excluding)
91.11.0-2.0.1.el9_0
运行在以下环境
系统 redhat_7 thunderbird * Up to
(excluding)
91.11.0-2.el7_9
运行在以下环境
系统 redhat_8 thunderbird * Up to
(excluding)
91.11.0-2.el8_6
运行在以下环境
系统 redhat_9 thunderbird * Up to
(excluding)
91.11.0-2.el9_0
运行在以下环境
系统 rocky_linux_8 thunderbird * Up to
(excluding)
91.11.0-2.el8_6
运行在以下环境
系统 ubuntu_18.04 thunderbird * Up to
(excluding)
91.11.0+build2-0ubuntu0.18.04.1
运行在以下环境
系统 ubuntu_20.04 thunderbird * Up to
(excluding)
91.11.0+build2-0ubuntu0.20.04.1
运行在以下环境
系统 ubuntu_21.10 thunderbird * Up to
(excluding)
91.11.0+build2-0ubuntu0.21.10.1
运行在以下环境
系统 ubuntu_22.04 thunderbird * Up to
(excluding)
91.11.0+build2-0ubuntu0.22.04.1
阿里云评分
5.1
  • 攻击路径
    本地
  • 攻击复杂度
    复杂
  • 权限要求
    普通权限
  • 影响范围
    越权影响
  • EXP成熟度
    未验证
  • 补丁情况
    官方补丁
  • 数据保密性
    无影响
  • 数据完整性
    无影响
  • 服务器危害
    无影响
  • 全网数量
    N/A
CWE-ID 漏洞类型
CWE-294 使用捕获-重放进行的认证绕过
CWE-357 对危险操作的UI警示不充分
阿里云安全产品覆盖情况