Bug 2135396 (CVE-2022-39251) - CVE-2022-39251 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack
Summary: CVE-2022-39251 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-39251
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2133369 2133370 2133371 2133372 2133373 2133374 2133375 2133376 2133377 2133378
Blocks: 2132403
TreeView+ depends on / blocked
 
Reported: 2022-10-17 14:00 UTC by Mauro Matteo Cascella
Modified: 2022-12-02 13:03 UTC (History)
5 users (show)

Fixed In Version: thunderbird 102.3.1
Doc Type: ---
Doc Text:
A flaw was found in Mozilla. According to the Mozilla Foundation Security Advisory, Thunderbird users who use the Matrix chat protocol are vulnerable to an impersonation attack. An attacker could spoof historical messages from other users, and use a malicious key backup to the user's account under specific conditions in order to exfiltrate message keys.
Clone Of:
Environment:
Last Closed: 2022-12-02 13:03:30 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7178 0 None None None 2022-10-25 14:00:51 UTC
Red Hat Product Errata RHSA-2022:7181 0 None None None 2022-10-25 14:43:46 UTC
Red Hat Product Errata RHSA-2022:7182 0 None None None 2022-10-25 14:34:39 UTC
Red Hat Product Errata RHSA-2022:7183 0 None None None 2022-10-25 14:41:06 UTC
Red Hat Product Errata RHSA-2022:7184 0 None None None 2022-10-25 14:51:10 UTC
Red Hat Product Errata RHSA-2022:7190 0 None None None 2022-10-25 15:20:37 UTC

Description Mauro Matteo Cascella 2022-10-17 14:00:20 UTC 
Thunderbird users who use the Matrix chat protocol were vulnerable to an impersonation attack. An adversary could spoof historical messages from other users. Additionally, a malicious key backup to the user's account under certain unusual conditions in order to exfiltrate message keys.

External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-43/#CVE-2022-39251
Comment 1 errata-xmlrpc 2022-10-25 14:00:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7178 https://access.redhat.com/errata/RHSA-2022:7178
Comment 2 errata-xmlrpc 2022-10-25 14:34:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:7182 https://access.redhat.com/errata/RHSA-2022:7182
Comment 3 errata-xmlrpc 2022-10-25 14:41:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:7183 https://access.redhat.com/errata/RHSA-2022:7183
Comment 4 errata-xmlrpc 2022-10-25 14:43:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:7181 https://access.redhat.com/errata/RHSA-2022:7181
Comment 5 errata-xmlrpc 2022-10-25 14:51:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:7184 https://access.redhat.com/errata/RHSA-2022:7184
Comment 6 errata-xmlrpc 2022-10-25 15:20:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7190 https://access.redhat.com/errata/RHSA-2022:7190
Comment 7 Product Security DevOps Team 2022-12-02 13:03:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-39251
Note You need to log in before you can comment on or make changes to this bug.