CVE-2022-1834

MEDIUM

Thunderbird < 91.10 - Improper Certificate Validation via Braille Pattern Blank Character

Title source: llm

Description

When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown with an arbitrary sender email address chosen by the attacker. If the sender name started with a false email address, followed by many Braille space characters, the attacker's email address was not visible. Because Thunderbird compared the invisible sender address with the signature's email address, if the signing key or certificate was accepted by Thunderbird, the email was shown as having a valid digital signature. This vulnerability affects Thunderbird < 91.10.

References (2)

Core 2

Core References

Issue Tracking, Permissions Required, Vendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1767816

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-22/

Scores

CVSS v3 6.5

EPSS 0.0017

EPSS Percentile 38.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (1)

mozilla/thunderbird < 91.10

Published Dec 22, 2022

Tracked Since Feb 18, 2026