CVE-2021-23991
Description
If a Thunderbird user has previously imported Alices OpenPGP key, and Alice has extended the validity period of her key, but Alices updated key has not yet been imported, an attacker may send an email containing a crafted version of Alices key with an invalid subkey, Thunderbird might subsequently attempt to use the invalid subkey, and will fail to send encrypted email to Alice. This vulnerability affects Thunderbird < 78.9.1.
Risk Information
Base Score
6.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score
Exploitation Probability
0.204
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2021-23991,CVE-2021-23993 are fixed in Mozilla Thunderbird (78.9.1) | Windows |
| Vulnerabilities CVE-2021-23991,CVE-2021-23993 are fixed in Mozilla Thunderbird (x64) (78.9.1) | Windows |
| Vulnerabilities CVE-2021-23991,CVE-2021-23993 are fixed in Mozilla Thunderbird For Mac (78.9.1) | Mac |
| Vulnerabilities CVE-2021-23991,CVE-2021-23992 are affected in Mozilla Thunderbird for Mac 78.4.2 | Mac |
| (RHSA-2021:1192) thunderbird security update thunderbird-78.9.1-1.el7_9.x86_64.rpm | Linux |
| (RHSA-2021:1193) thunderbird security update thunderbird-78.9.1-1.el8_3.x86_64.rpm | Linux |
| (RHSA-2021:1193) thunderbird security update thunderbird-debugsource-78.9.1-1.el8_3.x86_64.rpm | Linux |
| thunderbird security update(DSA-4897-1) thunderbird_78.10.0-1~deb10u1_i386.deb | Linux |
| thunderbird security update(DSA-4897-1) thunderbird_78.10.0-1~deb10u1_amd64.deb | Linux |
| Mozilla Open Source mail and newsgroup client (USN-4995-1) thunderbird_78.11.0+build1-0ubuntu0.20.04.2_amd64.deb | Linux |
| Mozilla Open Source mail and newsgroup client (USN-4995-1) thunderbird_78.11.0+build1-0ubuntu0.20.10.2_amd64.deb | Linux |
| Mozilla Open Source mail and newsgroup client (USN-4995-1) thunderbird_78.11.0+build1-0ubuntu0.21.04.2_amd64.deb | Linux |
| Mozilla Open Source mail and newsgroup client (USN-4995-2) thunderbird_78.11.0+build1-0ubuntu0.18.04.2_i386.deb | Linux |
| Mozilla Open Source mail and newsgroup client (USN-4995-2) thunderbird_78.11.0+build1-0ubuntu0.18.04.2_amd64.deb | Linux |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-319077 | Mozilla Thunderbird (78.9.1) |
| PATCH-319078 | Mozilla Thunderbird (x64) (78.9.1) |
| PATCH-611353 | Mozilla Thunderbird For Mac (128.12.0) |
| PATCH-611807 | Mozilla Thunderbird For Mac (142.0) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234