Vulnerability Description
Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. This vulnerability affects Thunderbird < 78.9.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Thunderbird | < 78.9.1 |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1666236Issue TrackingPermissions RequiredVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2021-13/Release NotesVendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1666236Issue TrackingPermissions RequiredVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2021-13/Release NotesVendor Advisory
FAQ
What is CVE-2021-23992?
CVE-2021-23992 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID...
How severe is CVE-2021-23992?
CVE-2021-23992 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-23992?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Thunderbird.