CVE-2022-4055

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-4055
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-4055.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-4055
Related
Published
2022-11-19T00:15:31Z
Modified
2024-10-12T10:08:40.057903Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.

References

Affected packages

Debian:11 / xdg-utils

Package

Name
xdg-utils
Purl
pkg:deb/debian/xdg-utils?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.3-4.1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / xdg-utils

Package

Name
xdg-utils
Purl
pkg:deb/debian/xdg-utils?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.3-4.1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / xdg-utils

Package

Name
xdg-utils
Purl
pkg:deb/debian/xdg-utils?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.3-4.1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / gitlab.freedesktop.org/xdg/xdg-utils

Affected ranges

Type
GIT
Repo
https://gitlab.freedesktop.org/xdg/xdg-utils
Events
Introduced
d611784d5139803e2da55bd33690ad711d24a396
Last affected
159fc37075db2decf446f453fe1a796da6921aad

Affected versions

v1.*

v1.1.0
v1.1.1
v1.1.2
v1.1.3