CVE-2022-2226 (GCVE-0-2022-2226)

Vulnerability from cvelistv5 – Published: 2022-12-22 00:00 – Updated: 2025-04-15 15:01
VLAI
Summary
An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email's date will be shown. If the dates were different, then Thunderbird didn't report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature's date roughly matches the displayed date of the email. This vulnerability affects Thunderbird < 102 and Thunderbird < 91.11.
Severity
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • An email with a mismatching OpenPGP signature date was accepted as valid
  • CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
Impacted products
Vendor Product Version
Mozilla Thunderbird Affected: unspecified , < 102 (custom)
Affected: unspecified , < 91.11 (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:32:09.375Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-26/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1775441"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-2226",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-15T15:00:48.251530Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-294",
                "description": "CWE-294 Authentication Bypass by Capture-replay",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-15T15:01:41.069Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "102",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "91.11",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email\u0027s date will be shown. If the dates were different, then Thunderbird didn\u0027t report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature\u0027s date roughly matches the displayed date of the email. This vulnerability affects Thunderbird \u003c 102 and Thunderbird \u003c 91.11."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "An email with a mismatching OpenPGP signature date was accepted as valid",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-22T00:00:00.000Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2022-26/"
        },
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1775441"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2022-2226",
    "datePublished": "2022-12-22T00:00:00.000Z",
    "dateReserved": "2022-06-27T00:00:00.000Z",
    "dateUpdated": "2025-04-15T15:01:41.069Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-2226",
      "date": "2026-06-03",
      "epss": "0.00193",
      "percentile": "0.41015"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"91.11\", \"matchCriteriaId\": \"897D6E98-A21E-4D5A-A4E8-64073F667C0A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:thunderbird:101.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A216EBB0-80B9-4D77-8D82-6E073A21E2EF\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email\u0027s date will be shown. If the dates were different, then Thunderbird didn\u0027t report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature\u0027s date roughly matches the displayed date of the email. This vulnerability affects Thunderbird \u003c 102 and Thunderbird \u003c 91.11.\"}, {\"lang\": \"es\", \"value\": \"Una firma digital OpenPGP incluye informaci\\u00f3n sobre la fecha en que se cre\\u00f3 la firma. Al mostrar un correo electr\\u00f3nico que contiene una firma digital, se mostrar\\u00e1 la fecha del correo electr\\u00f3nico. Si las fechas eran diferentes, entonces Thunderbird no inform\\u00f3 que el correo electr\\u00f3nico tuviera una firma no v\\u00e1lida. Si un atacante realiz\\u00f3 un ataque de repetici\\u00f3n, en el que un correo electr\\u00f3nico antiguo con contenido antiguo se reenv\\u00eda m\\u00e1s adelante, podr\\u00eda hacer que la v\\u00edctima crea que las declaraciones en el correo electr\\u00f3nico son actuales. Las versiones fijas de Thunderbird requerir\\u00e1n que la fecha de la firma coincida aproximadamente con la fecha mostrada en el correo electr\\u00f3nico. Esta vulnerabilidad afecta a Thunderbird \u0026lt; 102 y Thunderbird \u0026lt; 91.11.\"}]",
      "id": "CVE-2022-2226",
      "lastModified": "2024-11-21T07:00:34.663",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
      "published": "2022-12-22T20:15:27.540",
      "references": "[{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1775441\", \"source\": \"security@mozilla.org\", \"tags\": [\"Issue Tracking\", \"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2022-26/\", \"source\": \"security@mozilla.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1775441\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2022-26/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@mozilla.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-294\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-2226\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2022-12-22T20:15:27.540\",\"lastModified\":\"2025-04-15T15:15:58.053\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email\u0027s date will be shown. If the dates were different, then Thunderbird didn\u0027t report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature\u0027s date roughly matches the displayed date of the email. This vulnerability affects Thunderbird \u003c 102 and Thunderbird \u003c 91.11.\"},{\"lang\":\"es\",\"value\":\"Una firma digital OpenPGP incluye informaci\u00f3n sobre la fecha en que se cre\u00f3 la firma. Al mostrar un correo electr\u00f3nico que contiene una firma digital, se mostrar\u00e1 la fecha del correo electr\u00f3nico. Si las fechas eran diferentes, entonces Thunderbird no inform\u00f3 que el correo electr\u00f3nico tuviera una firma no v\u00e1lida. Si un atacante realiz\u00f3 un ataque de repetici\u00f3n, en el que un correo electr\u00f3nico antiguo con contenido antiguo se reenv\u00eda m\u00e1s adelante, podr\u00eda hacer que la v\u00edctima crea que las declaraciones en el correo electr\u00f3nico son actuales. Las versiones fijas de Thunderbird requerir\u00e1n que la fecha de la firma coincida aproximadamente con la fecha mostrada en el correo electr\u00f3nico. Esta vulnerabilidad afecta a Thunderbird \u0026lt; 102 y Thunderbird \u0026lt; 91.11.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-294\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-294\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"91.11\",\"matchCriteriaId\":\"897D6E98-A21E-4D5A-A4E8-64073F667C0A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:101.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A216EBB0-80B9-4D77-8D82-6E073A21E2EF\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1775441\",\"source\":\"security@mozilla.org\",\"tags\":[\"Issue Tracking\",\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2022-26/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1775441\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2022-26/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.mozilla.org/security/advisories/mfsa2022-26/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1775441\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T00:32:09.375Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-2226\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-15T15:00:48.251530Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-294\", \"description\": \"CWE-294 Authentication Bypass by Capture-replay\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-15T15:01:34.447Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"Mozilla\", \"product\": \"Thunderbird\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"102\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"91.11\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://www.mozilla.org/security/advisories/mfsa2022-26/\"}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1775441\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email\u0027s date will be shown. If the dates were different, then Thunderbird didn\u0027t report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature\u0027s date roughly matches the displayed date of the email. This vulnerability affects Thunderbird \u003c 102 and Thunderbird \u003c 91.11.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"An email with a mismatching OpenPGP signature date was accepted as valid\"}]}], \"providerMetadata\": {\"orgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"shortName\": \"mozilla\", \"dateUpdated\": \"2022-12-22T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-2226\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-15T15:01:41.069Z\", \"dateReserved\": \"2022-06-27T00:00:00.000Z\", \"assignerOrgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"datePublished\": \"2022-12-22T00:00:00.000Z\", \"assignerShortName\": \"mozilla\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.