CVE-2017-7829

Current Description

It is possible to spoof the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string. This vulnerability affects Thunderbird < 52.5.2.

Basic Data

PublishedJune 11, 2018
Last ModifiedAugust 07, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-20
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score5.0
SeverityMEDIUM
Exploitability Score10.0
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS 3 - Attack VectorNETWORK
CVSS 3 - Attack ComplexityLOW
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionNONE
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactNONE
CVSS 3 - Integrity ImpactLOW
CVSS 3 - Availability ImpactNONE
CVSS 3 - Base Score5.3
CVSS 3 - Base SeverityMEDIUM
Exploitability Score3.9
Base SeverityMEDIUM

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationMozillaThunderbird********52.5.2
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSRedhatEnterprise Linux Aus7.4*******
    2.3OSRedhatEnterprise Linux Desktop6.0*******
    2.3OSRedhatEnterprise Linux Desktop7.0*******
    2.3OSRedhatEnterprise Linux Eus7.4*******
    2.3OSRedhatEnterprise Linux Eus7.5*******
    2.3OSRedhatEnterprise Linux Server6.0*******
    2.3OSRedhatEnterprise Linux Server7.0*******
    2.3OSRedhatEnterprise Linux Workstation6.0*******
    2.3OSRedhatEnterprise Linux Workstation7.0*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSDebianDebian Linux7.0*******
    2.3OSDebianDebian Linux8.0*******
    2.3OSDebianDebian Linux9.0*******
  • OR - Configuration 4
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSCanonicalUbuntu Linux14.04***lts***
    2.3OSCanonicalUbuntu Linux16.04***lts***
    2.3OSCanonicalUbuntu Linux17.10*******

Vulnerable Software List

VendorProductVersions
Mozilla Thunderbird *
Debian Debian Linux 7.0, 8.0, 9.0
Redhat Enterprise Linux Workstation 6.0, 7.0
Redhat Enterprise Linux Eus 7.4, 7.5
Redhat Enterprise Linux Desktop 6.0, 7.0
Redhat Enterprise Linux Aus 7.4
Redhat Enterprise Linux Server 6.0, 7.0
Canonical Ubuntu Linux 14.04, 16.04, 17.10

References

NameSourceURLTags
102258http://www.securityfocus.com/bid/102258BIDThird Party Advisory VDB Entry
1040123http://www.securitytracker.com/id/1040123SECTRACKThird Party Advisory VDB Entry
RHSA-2018:0061https://access.redhat.com/errata/RHSA-2018:0061REDHATThird Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1423432https://bugzilla.mozilla.org/show_bug.cgi?id=1423432CONFIRMExploit Issue Tracking Patch
[debian-lts-announce] 20171227 [SECURITY] [DLA 1223-1] thunderbird security updatehttps://lists.debian.org/debian-lts-announce/2017/12/msg00026.htmlMLISTMailing List Third Party Advisory
USN-3529-1https://usn.ubuntu.com/3529-1/UBUNTUThird Party Advisory
DSA-4075https://www.debian.org/security/2017/dsa-4075DEBIANThird Party Advisory
https://www.mozilla.org/security/advisories/mfsa2017-30/https://www.mozilla.org/security/advisories/mfsa2017-30/CONFIRMVendor Advisory