Main Vulnerability Database Vulnerabilities #VU52002

#VU52002 Cryptographic issues in Mozilla Thunderbird - CVE-2021-23991

Published: April 8, 2021

Vulnerability identifier: #VU52002

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-23991

CWE-ID: CWE-310

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Mozilla Thunderbird

Software vendor:
Mozilla

Description

The vulnerability allows a remote attacker to email encryption.

The vulnerability exists in the way Thunderbird uses the OpenPGP key refresh mechanism while handling the extended validity key period. A remote attacker can send victim an email containing a crafted version of the original key and an invalid subkey and force the application to use the invalid subkey, which will result in failure to encrypt the original email message when sending it.

Remediation

Install updates from vendor's website.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2021-13/