{"containers": {"cna": {"affected": [{"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "78.9.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. This vulnerability affects Thunderbird < 78.9.1."}], "problemTypes": [{"descriptions": [{"description": "A crafted OpenPGP key with an invalid user ID could be used to confuse the user", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-06-24T13:26:45", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-13/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1666236"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2021-23992", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Thunderbird", "version": {"version_data": [{"version_affected": "<", "version_value": "78.9.1"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. This vulnerability affects Thunderbird < 78.9.1."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "A crafted OpenPGP key with an invalid user ID could be used to confuse the user"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2021-13/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2021-13/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1666236", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1666236"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:14:10.020Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-13/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1666236"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2021-23992", "datePublished": "2021-06-24T13:26:45", "dateReserved": "2021-01-13T00:00:00", "dateUpdated": "2024-08-03T19:14:10.020Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "717003F7-C1B4-4A52-A10F-13DB37ED1FCE", "versionEndExcluding": "78.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. This vulnerability affects Thunderbird < 78.9.1."}, {"lang": "es", "value": "Thunderbird no comprueba si el ID de usuario asociado a una clave OpenPGP presenta una autofirma v\u00e1lida. Un atacante puede crear una versi\u00f3n dise\u00f1ada de una clave OpenPGP, sustituyendo el ID de usuario original o a\u00f1adiendo otro ID de usuario. Si Thunderbird importa y acepta la clave dise\u00f1ada, el usuario de Thunderbird puede concluir falsamente que el falso ID de usuario pertenece al corresponsal. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a 78.9.1"}], "id": "CVE-2021-23992", "lastModified": "2021-07-08T15:47:36.577", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-24T14:15:09.227", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1666236"}, {"source": "security@mozilla.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-13/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Neal Walfield as the original reporter.", "affected_release": [{"advisory": "RHSA-2021:1192", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:78.9.1-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2021-04-14T00:00:00Z"}, {"advisory": "RHSA-2021:1193", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:78.9.1-1.el8_3", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-04-14T00:00:00Z"}, {"advisory": "RHSA-2021:1190", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "thunderbird-0:78.9.1-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2021-04-14T00:00:00Z"}, {"advisory": "RHSA-2021:1201", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "thunderbird-0:78.9.1-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2021-04-14T00:00:00Z"}], "bugzilla": {"description": "Mozilla: A crafted OpenPGP key with an invalid user ID could be used to confuse the user", "id": "1948394", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948394"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-347", "details": ["Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. This vulnerability affects Thunderbird < 78.9.1."], "name": "CVE-2021-23992", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2021-04-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-23992\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23992"], "threat_severity": "Moderate", "upstream_fix": "thunderbird 78.9.1"}