CVE-2021-23993 — Improper Verification of Cryptographic Signature in Mozilla Thunderbird
Severity
6.5MEDIUMNVD
OSV7.4
EPSS
0.1%
top 84.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 24
Latest updateApr 18
Description
An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent. If an attacker creates a crafted OpenPGP key with a subkey that has an invalid self signature, and the Thunderbird user imports the crafted key, then Thunderbird may try to use the invalid subkey, but the RNP library rejects it from being used, causing encryption to fail. This vulnerability affects Thunderbird < 78.9.1.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6
Affected Packages6 packages
🔴Vulnerability Details
5GHSA▶
MailKit has STARTTLS Response Injection via unflushed stream buffer that enables SASL mechanism downgrade↗2026-04-18
GHSA▶
GHSA-3pj2-rvj5-6646: An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent↗2022-05-24
OSV▶
CVE-2021-23993: An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent↗2021-06-24
📋Vendor Advisories
5Red Hat
▶
Debian▶
CVE-2021-23993: thunderbird - An attacker may perform a DoS attack to prevent a user from sending encrypted em...↗2021