PT-2021-2667 · Mozilla+7 · Thunderbird+7

Neal Walfield

Published

2021-04-08

Updated

2021-07-08

CVE-2021-23992

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 78.9.1

Description: The issue is related to the incorrect verification of OpenPGP key signatures. An attacker can create a crafted OpenPGP key by replacing or adding a user ID. If the crafted key is imported and accepted, the user may incorrectly assume the false user ID belongs to the correspondent. This allows a remote attacker to access protected information.

Recommendations: For versions prior to 78.9.1, update to version 78.9.1 or later to resolve the issue.

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

ALT-PU-2021-1804

ALT-PU-2021-1886

ALT-PU-2021-1892

BDU:2021-02196

CESA-2021_1192

CESA-2021_1193

CVE-2021-23992

DLA-2632-1

DSA-4897-1

MGASA-2021-0189

OPENSUSE-SU-2021:0580-1

OPENSUSE-SU-2021_0580-1

RHSA-2021:1190

RHSA-2021:1192

RHSA-2021:1193

RHSA-2021:1201

RHSA-2021_1192

RHSA-2021_1193

SUSE-SU-2021:1167-1

USN-4995-1

USN-4995-2

Affected Products

Alt Linux

Astra Linux

Centos

Linuxmint

Red Hat

Suse

Thunderbird

Ubuntu

PT-2021-2667 · Mozilla+7 · Thunderbird+7

CVE-2021-23992

Weakness Enumeration

Related Identifiers

Affected Products

References · 62