Unrated severityNVD Advisory· Published Apr 26, 2019· Updated Aug 5, 2024

CVE-2018-18509

Description

A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1.

Affected products

osv-coords4 versions
pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Tumbleweed pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015 pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Package%20Hub%2012
< 60.6.1-lp150.3.37.1+ 3 more
- (no CPE)range: < 60.6.1-lp150.3.37.1
- (no CPE)range: < 91.1.1-1.1
- (no CPE)range: < 60.5.1-3.24.1
- (no CPE)range: < 60.5.1-79.1
Mozilla Corporation/Thunderbirdv5
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.opensuse.org/opensuse-security-announce/2019-04/msg00043.htmlmitrevendor-advisoryx_refsource_SUSE
access.redhat.com/errata/RHSA-2019:1144mitrevendor-advisoryx_refsource_REDHAT
packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.htmlmitrex_refsource_MISC
seclists.org/fulldisclosure/2019/Apr/38mitremailing-listx_refsource_FULLDISC
www.openwall.com/lists/oss-security/2019/04/30/4mitremailing-listx_refsource_MLIST
bugzilla.mozilla.org/show_bug.cgimitrex_refsource_MISC
github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdfmitrex_refsource_MISC
www.mozilla.org/security/advisories/mfsa2019-06/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000