PT-2021-2595 · Mozilla+7 · Thunderbird+7

Cure53

Published

2021-01-26

Updated

2024-06-15

CVE-2021-23991

CVSS v3.1

6.8

Medium

Vector

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 78.9.1

Description The issue is related to the incorrect verification of OpenPGP cryptographic signatures in Thunderbird. If a user has previously imported someone's OpenPGP key and the key owner has extended the validity period of their key, but the updated key has not been imported, an attacker can send an email with a crafted version of the key containing an invalid subkey. This could cause Thunderbird to attempt to use the invalid subkey, resulting in a failure to send encrypted emails to the key owner.

Recommendations For Thunderbird versions prior to 78.9.1, update to version 78.9.1 or later to resolve the issue.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-310

Related Identifiers

ALT-PU-2021-1804

ALT-PU-2021-1886

ALT-PU-2021-1892

BDU:2021-02077

CESA-2021_1192

CESA-2021_1193

CVE-2021-23991

DLA-2632-1

DSA-4897-1

MGASA-2021-0189

OPENSUSE-SU-2021:0580-1

OPENSUSE-SU-2021_0580-1

OPENSUSE-SU-2024:10601-1

RHSA-2021:1190

RHSA-2021:1192

RHSA-2021:1193

RHSA-2021:1201

RHSA-2021_1192

RHSA-2021_1193

SUSE-SU-2021:1167-1

USN-4995-1

USN-4995-2

Affected Products

Alt Linux

Astra Linux

Centos

Linuxmint

Red Hat

Suse

Thunderbird

Ubuntu

PT-2021-2595 · Mozilla+7 · Thunderbird+7

CVE-2021-23991

Weakness Enumeration

Related Identifiers

Affected Products

References · 452