First published: Thu Feb 14 2019(Updated: )
A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content.
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Thunderbird | <60.5.1 | |
Mozilla Thunderbird | <60.5.1 | 60.5.1 |
debian/thunderbird | 1:115.12.0-1~deb11u1 1:128.5.0esr-1~deb11u1 1:115.16.0esr-1~deb12u1 1:128.5.0esr-1~deb12u1 1:128.5.0esr-1 1:128.5.2esr-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2018-18509 is a vulnerability in Thunderbird that allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary contents.
CVE-2018-18509 causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature.
The severity of CVE-2018-18509 is high, with a CVSS (Common Vulnerability Scoring System) score of 5.3.
To fix CVE-2018-18509 in Thunderbird, you should update Thunderbird to version 60.5.1 or later.
You can find more information about CVE-2018-18509 in the following references: [Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1507218), [Mozilla Security Advisory](https://www.mozilla.org/en-US/security/advisories/mfsa2019-06/), [Full Disclosure Mailing List](http://seclists.org/fulldisclosure/2019/Apr/38)