CVE-2021-29957Improper Verification of Cryptographic Signature in Mozilla Thunderbird

CWE-347Improper Verification of Cryptographic Signature10 documents7 sources
Severity
4.3MEDIUMNVD
OSV7.4
EPSS
0.3%
top 46.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla ThunderbirdDebian ThunderbirdMozilla Firefox
Timeline
PublishedJun 24
Latest updateMay 24

Description

If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected. This vulnerability affects Thunderbird < 78.10.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages6 packages

debiandebian/thunderbird< thunderbird 1:78.10.2-1 (bookworm)
CVEListV5mozilla/thunderbirdunspecified78.10.2
NVDmozilla/thunderbird< 78.10.2
Debianmozilla/thunderbird< 1:78.10.2-1+3
Ubuntumozilla/thunderbird< 1:78.11.0+build1-0ubuntu0.18.04.2+1

Patches

Patch: bugzilla.mozilla.orgPatch: bugzilla.mozilla.org

🔴Vulnerability Details

4
GHSA
GHSA-5v9p-7pr9-r9pm: If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did2022-05-24
OSV
thunderbird vulnerabilities2021-06-25
OSV
CVE-2021-29957: If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did2021-06-24
OSV
thunderbird vulnerabilities2021-06-22

📋Vendor Advisories

5
Ubuntu
Thunderbird vulnerabilities2021-06-25
Ubuntu
Thunderbird vulnerabilities2021-06-22
Red Hat
Mozilla: Partial protection of inline OpenPGP message not indicated2021-05-17
Debian
CVE-2021-29957: thunderbird - If a MIME encoded email contains an OpenPGP inline signed or encrypted message p...2021
Mozilla
Mozilla Foundation Security Advisory 2021-22: CVE-2021-29957