CVE-2022-1197
5.4
MEDIUM
CVSS 3.1
EPSS 0.24%
Description
When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation reason, were unaffected. This vulnerability affects Thunderbird < 91.8.
How to fix CVE-2022-1197
To remediate CVE-2022-1197, upgrade the affected package to a fixed version below.
- —upgrade to 1:91.8.0-1~deb11u1 or later
Is CVE-2022-1197 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1:91.8.0-1~deb11u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |