OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug. This vulnerability affects Thunderbird < 102.10.
Weakness
The product does not validate, or incorrectly validates, a certificate.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Thunderbird | Mozilla | 68.0 (including) | 102.10 (excluding) |
| Red Hat Enterprise Linux 7 | RedHat | thunderbird-0:102.10.0-2.el7_9 | * |
| Red Hat Enterprise Linux 8 | RedHat | thunderbird-0:102.10.0-2.el8_7 | * |
| Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | RedHat | thunderbird-0:102.10.0-2.el8_1 | * |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | thunderbird-0:102.10.0-2.el8_2 | * |
| Red Hat Enterprise Linux 8.2 Telecommunications Update Service | RedHat | thunderbird-0:102.10.0-2.el8_2 | * |
| Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions | RedHat | thunderbird-0:102.10.0-2.el8_2 | * |
| Red Hat Enterprise Linux 8.4 Extended Update Support | RedHat | thunderbird-0:102.10.0-2.el8_4 | * |
| Red Hat Enterprise Linux 8.6 Extended Update Support | RedHat | thunderbird-0:102.10.0-2.el8_6 | * |
| Red Hat Enterprise Linux 9 | RedHat | thunderbird-0:102.10.0-2.el9_1 | * |
| Red Hat Enterprise Linux 9.0 Extended Update Support | RedHat | thunderbird-0:102.10.0-2.el9_0 | * |
| Thunderbird | Ubuntu | bionic | * |
| Thunderbird | Ubuntu | focal | * |
| Thunderbird | Ubuntu | jammy | * |
| Thunderbird | Ubuntu | kinetic | * |
| Thunderbird | Ubuntu | trusty | * |
| Thunderbird | Ubuntu | xenial | * |