2143792 – (CVE-2022-4055) CVE-2022-4055 xdg-utils: improper parse of mailto URIs allows bypass of Thunderbird security mechanism for attachments

Bug 2143792 (CVE-2022-4055) - CVE-2022-4055 xdg-utils: improper parse of mailto URIs allows bypass of Thunderbird security mechanism for attachments

Summary: CVE-2022-4055 xdg-utils: improper parse of mailto URIs allows bypass of Thund...

Keywords:
Status:	NEW
Alias:	CVE-2022-4055
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2151294 2151303 2151304
Blocks:	2128075
TreeView+	depends on / blocked

Reported:	2022-11-17 21:17 UTC by Zack Miele
Modified:	2023-07-07 08:31 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Zack Miele 2022-11-17 21:17:55 UTC

When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.

Comment 2 Zack Miele 2022-12-06 15:53:58 UTC

Created xdg-utils tracking bugs for this issue:

Affects: fedora-all [bug 2151294]

Note You need to log in before you can comment on or make changes to this bug.