Vulnerability CVE-2021-23992: Information

Description

Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. This vulnerability affects Thunderbird < 78.9.1.

Severity: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-23992
Published: June 24, 2021
Modified: July 8, 2021
Error type identifier: CWE-347

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
thunderbirdsisyphus78.10.1-alt1115.9.0-alt1ALT-PU-2021-1804-1267593Fixed
thunderbirdp1078.10.1-alt1115.9.0-alt1ALT-PU-2021-1804-1267593Fixed
thunderbirdp978.10.2-alt0.1.p9102.11.0-alt0.c9.1ALT-PU-2021-1892-1271859Fixed
thunderbirdc10f178.10.1-alt1115.9.0-alt0.c10.1ALT-PU-2021-1804-1267593Fixed
thunderbirdc9f278.10.2-alt0.c9.1102.11.0-alt0.c9.1ALT-PU-2021-1886-1272274Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1666236
  • Issue Tracking
  • Permissions Required
  • Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-13/
  • Release Notes
  • Vendor Advisory

    1. Configuration 1

      cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
      End excliding
      78.9.1
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.4.2
Back to top