nvd-json-data-feeds/CVE-2018/CVE-2018-185xx/CVE-2018-18509.json

{
  "id": "CVE-2018-18509",
  "sourceIdentifier": "security@mozilla.org",
  "published": "2019-04-26T17:29:00.243",
  "lastModified": "2019-06-03T19:29:01.390",
  "vulnStatus": "Modified",
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1."
    },
    {
      "lang": "es",
      "value": "Un fallo durante la comprobaci\u00f3n de ciertas firmas S/MIME produce correos electr\u00f3nicos que se mostrar\u00e1n en Thunderbird con una firma digital v\u00e1lida, incluso si el contenido del mensaje mostrado no est\u00e1 cubierto por la firma. El fallo le permite a un atacante reutilizar una firma S/MIME v\u00e1lida para poder elaborar un mensaje de correo electr\u00f3nico con contenido arbitrario. Esta vulnerabilidad afecta a Thunderbird versiones <60.5.1."
    }
  ],
  "metrics": {
    "cvssMetricV30": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.0",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "NONE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.0
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-347"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "60.5.1",
              "matchCriteriaId": "0C51200B-CE35-47CB-89C2-185BC159A0B4"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00043.html",
      "source": "security@mozilla.org"
    },
    {
      "url": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html",
      "source": "security@mozilla.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ]
    },
    {
      "url": "http://seclists.org/fulldisclosure/2019/Apr/38",
      "source": "security@mozilla.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ]
    },
    {
      "url": "http://www.openwall.com/lists/oss-security/2019/04/30/4",
      "source": "security@mozilla.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://access.redhat.com/errata/RHSA-2019:1144",
      "source": "security@mozilla.org"
    },
    {
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1507218",
      "source": "security@mozilla.org",
      "tags": [
        "Issue Tracking",
        "Permissions Required",
        "Vendor Advisory"
      ]
    },
    {
      "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired",
      "source": "security@mozilla.org"
    },
    {
      "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf",
      "source": "security@mozilla.org"
    },
    {
      "url": "https://www.mozilla.org/security/advisories/mfsa2019-06/",
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}