Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-4055

Опубликовано: 03 авг. 2022
Источник: redhat
CVSS3: 7.4
EPSS Низкий

Описание

When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.

Отчет

To exploit this flaw, an attacker would need to convince a user to click on a specially crafted mailto URL. Additionally, the user must have the Thunderbird email client installed and xdg-mail configured to use Thunderbird to handle mailto URLs. Therefore, this vulnerability is rated as moderate rather than important because it requires user interaction and specific system configurations.

Меры по смягчению последствий

To mitigate this flaw, either:

  1. Do not use mailto links at all
  2. Always double-check in the user interface that there are no unwanted attachments before sending emails; especially when the email originates from clicking a mailto link.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6xdg-utilsOut of support scope
Red Hat Enterprise Linux 7xdg-utilsOut of support scope
Red Hat Enterprise Linux 8xdg-utilsWill not fix
Red Hat Enterprise Linux 9xdg-utilsFixedRHSA-2025:767215.05.2025

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
https://bugzilla.redhat.com/show_bug.cgi?id=2143792xdg-utils: improper parse of mailto URIs allows bypass of Thunderbird security mechanism for attachments

EPSS

Процентиль: 6%
0.00028
Низкий

7.4 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-4055

CVSS3: 7.4
ubuntu
больше 2 лет назад

When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.

nvd логотип

CVE-2022-4055

CVSS3: 7.4
nvd
больше 2 лет назад

When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.

msrc логотип

CVE-2022-4055

CVSS3: 7.4
msrc
4 месяца назад

Описание отсутствует

debian логотип

CVE-2022-4055

CVSS3: 7.4
debian
больше 2 лет назад

When xdg-mail is configured to use thunderbird for mailto URLs, improp ...

github логотип

GHSA-p4jr-wm76-h2v3

CVSS3: 7.4
github
больше 2 лет назад

When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.

EPSS

Процентиль: 6%
0.00028
Низкий

7.4 High

CVSS3