Lucene search

[email protected]CVE-2021-23991

HistoryJun 24, 2021 - 2:15 p.m.

CVE-2021-23991

2021-06-2414:15:09

[email protected]

web.nvd.nist.gov

165

cve-2021-23991

thunderbird

openpgp

key import

email encryption

vulnerability

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:P/A:N

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

6.8 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.1%

JSON

If a Thunderbird user has previously imported Alice’s OpenPGP key, and Alice has extended the validity period of her key, but Alice’s updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice’s key with an invalid subkey, Thunderbird might subsequently attempt to use the invalid subkey, and will fail to send encrypted email to Alice. This vulnerability affects Thunderbird < 78.9.1.

Affected configurations

Vulners

NVD

Node

mozillathunderbirdRange≤78.9.1

VendorProductVersionCPE
mozillathunderbird*cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	thunderbird	*	cpe:2.3:a:mozilla:thunderbird::::::::

CNA Affected

[
  {
    "product": "Thunderbird",
    "vendor": "Mozilla",
    "versions": [
      {
        "lessThan": "78.9.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]