AZL-37063

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-37063.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-37063

Upstream

CVE-2022-4055

Published

2022-11-19T00:15:31Z

Modified

2026-04-21T04:28:08.609714Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N CVSS Calculator

Summary

CVE-2022-4055 affecting package xdg-utils for versions less than 1.2.1-3

Details

When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-4055

Affected packages

Azure Linux:3 / xdg-utils

Package

Name: xdg-utils
Purl: pkg:rpm/azure-linux/xdg-utils

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.1-3

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-37063.json"