CVE-2021-23992Improper Verification of Cryptographic Signature in Mozilla Thunderbird

CWE-347Improper Verification of Cryptographic Signature10 documents7 sources
Severity
4.3MEDIUMNVD
OSV7.4
EPSS
0.1%
top 75.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla ThunderbirdDebian ThunderbirdMozilla Firefox
Timeline
PublishedJun 24
Latest updateMay 24

Description

Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. This vulnerability affects Thunderbird < 78.9.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages6 packages

debiandebian/thunderbird< thunderbird 1:78.10.0-1 (bookworm)
CVEListV5mozilla/thunderbirdunspecified78.9.1
NVDmozilla/thunderbird< 78.9.1
Debianmozilla/thunderbird< 1:78.10.0-1+3
Ubuntumozilla/thunderbird< 1:78.11.0+build1-0ubuntu0.18.04.2+1

🔴Vulnerability Details

4
GHSA
GHSA-x89c-f42w-ch2g: Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature2022-05-24
OSV
thunderbird vulnerabilities2021-06-25
OSV
CVE-2021-23992: Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature2021-06-24
OSV
thunderbird vulnerabilities2021-06-22

📋Vendor Advisories

5
Ubuntu
Thunderbird vulnerabilities2021-06-25
Ubuntu
Thunderbird vulnerabilities2021-06-22
Red Hat
Mozilla: A crafted OpenPGP key with an invalid user ID could be used to confuse the user2021-04-08
Debian
CVE-2021-23992: thunderbird - Thunderbird did not check if the user ID associated with an OpenPGP key has a va...2021
Mozilla
Mozilla Foundation Security Advisory 2021-13: CVE-2021-23992