CVE-2021-23992
Last modified
CVE-2021-23992 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. EPSS estimates a 0.48% chance of exploitation in the next 30 days.
Description
Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. This vulnerability affects Thunderbird < 78.9.1.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Thunderbird | < 78.9.1 |
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1666236Issue Tracking, Permissions Required, Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2021-13/Release Notes, Vendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1666236Issue Tracking, Permissions Required, Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2021-13/Release Notes, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-23992?
How severe is CVE-2021-23992?
How do I fix CVE-2021-23992?
Are you affected by CVE-2021-23992?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST