CVE-2022-4055

Name
CVE-2022-4055
Description
When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205#note_1494267

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:freedesktop:xdg-utils:*:*:*:*:*:*:*:* xdg-utils >= 1.1.0 <= 1.1.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
xdg-utils 3.17-community 1.1.3-r4 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
xdg-utils 3.18-community 1.1.3-r4 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
xdg-utils 3.19-community 1.1.3-r4 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable