Vulnerability Description
When saving or opening an email attachment on macOS, Thunderbird did not set attribute com.apple.quarantine on the received file. If the received file was an application and the user attempted to open it, then the application was started immediately without asking the user to confirm. This vulnerability affects Thunderbird < 102.3.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Thunderbird | < 102.3 |
| Apple | Macos | - |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1789061Issue TrackingPermissions RequiredVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2022-42/Vendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1789061Issue TrackingPermissions RequiredVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2022-42/Vendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1789061Issue TrackingPermissions RequiredVendor Advisory
FAQ
What is CVE-2022-3155?
CVE-2022-3155 is a vulnerability with a CVSS score of 7.8 (HIGH). When saving or opening an email attachment on macOS, Thunderbird did not set attribute com.apple.quarantine on the received file. If the received file was an application and the user attempted to open...
How severe is CVE-2022-3155?
CVE-2022-3155 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-3155?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Thunderbird, Apple Macos.