CVE-2021-23991
N/A
N/A
Summary
If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice's key with an invalid subkey, Thunderbird might subsequently attempt to use the invalid subkey, and will fail to send encrypted email to Alice. This vulnerability affects Thunderbird < 78.9.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Mozilla | Thunderbird | unspecified < 78.9.1 | affected |
Weaknesses
- An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key
ADP Enrichment
CVE Program Container
Additional References
- https://www.mozilla.org/security/advisories/mfsa2021-13/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1673240
References
- https://www.mozilla.org/security/advisories/mfsa2021-13/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1673240
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.