CVE-2021-23993

Published: Jun 24, 2021Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent. If an attacker creates a crafted OpenPGP key with a subkey that has an invalid self signature, and the Thunderbird user imports the crafted key, then Thunderbird may try to use the invalid subkey, but the RNP library rejects it from being used, causing encryption to fail. This vulnerability affects Thunderbird < 78.9.1.

Affected (1)

Products: Mozilla: Thunderbird

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Thunderbird	Before 78.9.1

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (4)

https://bugzilla.mozilla.org/show_bug.cgi?id=1666360

Source: security@mozilla.org

Issue TrackingPermissions RequiredVendor Advisory

https://www.mozilla.org/security/advisories/mfsa2021-13/

Source: security@mozilla.org

Release NotesVendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1666360

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPermissions RequiredVendor Advisory

https://www.mozilla.org/security/advisories/mfsa2021-13/

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.