Vulnerability Description
When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation reason, were unaffected. This vulnerability affects Thunderbird < 91.8.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Thunderbird | < 91.8 |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1754985Issue TrackingPermissions RequiredVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2022-15/Vendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1754985Issue TrackingPermissions RequiredVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2022-15/Vendor Advisory
FAQ
What is CVE-2022-1197?
CVE-2022-1197 is a vulnerability with a CVSS score of 5.4 (MEDIUM). When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as ...
How severe is CVE-2022-1197?
CVE-2022-1197 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-1197?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Thunderbird.