{"api_version":"1","generated_at":"2026-05-13T01:29:23+00:00","cve":"CVE-2021-23991","urls":{"html":"https://cve.report/CVE-2021-23991","api":"https://cve.report/api/cve/CVE-2021-23991.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-23991","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-23991"},"summary":{"title":"CVE-2021-23991","description":"If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice's key with an invalid subkey, Thunderbird might subsequently attempt to use the invalid subkey, and will fail to send encrypted email to Alice. This vulnerability affects Thunderbird < 78.9.1.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2021-06-24 14:15:00","updated_at":"2021-07-08 15:50:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1673240","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1673240","refsource":"MISC","tags":[],"title":"1673240 - (CVE-2021-23991) RNP-01-014 WP1 Thunderbird: Key manipulation via uncertified Auto-Import (Medium)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-13/","name":"https://www.mozilla.org/security/advisories/mfsa2021-13/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Thunderbird 78.9.1 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-23991","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23991","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"23991","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-23991","qid":"159147","title":"Oracle Enterprise Linux Security Update for thunderbird (ELSA-2021-1192)"},{"cve":"CVE-2021-23991","qid":"159148","title":"Oracle Enterprise Linux Security Update for thunderbird (ELSA-2021-1193)"},{"cve":"CVE-2021-23991","qid":"178561","title":"Debian Security Update for thunderbird (DSA 4897-1)"},{"cve":"CVE-2021-23991","qid":"178644","title":"Debian Security Update for thunderbird (DLA 2632-1)"},{"cve":"CVE-2021-23991","qid":"179921","title":"Debian Security Update for thunderbird (CVE-2021-23991)"},{"cve":"CVE-2021-23991","qid":"198415","title":"Ubuntu Security Notification for Thunderbird vulnerabilities (USN-4995-1)"},{"cve":"CVE-2021-23991","qid":"198424","title":"Ubuntu Security Notification for Thunderbird vulnerabilities (USN-4995-2)"},{"cve":"CVE-2021-23991","qid":"239221","title":"Red Hat Update for thunderbird (RHSA-2021:1201)"},{"cve":"CVE-2021-23991","qid":"239223","title":"Red Hat Update for thunderbird (RHSA-2021:1193)"},{"cve":"CVE-2021-23991","qid":"239224","title":"Red Hat Update for thunderbird (RHSA-2021:1192)"},{"cve":"CVE-2021-23991","qid":"239225","title":"Red Hat Update for thunderbird (RHSA-2021:1190)"},{"cve":"CVE-2021-23991","qid":"257078","title":"CentOS Security Update for thunderbird (CESA-2021:1192)"},{"cve":"CVE-2021-23991","qid":"296068","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 34.94.4 Missing (CPUAPR2021)"},{"cve":"CVE-2021-23991","qid":"352368","title":"Amazon Linux Security Advisory for thunderbird: ALAS2-2021-1644"},{"cve":"CVE-2021-23991","qid":"375465","title":"Mozilla Thunderbird Multiple Vulnerabilities (MFSA2021-13)"},{"cve":"CVE-2021-23991","qid":"750260","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2021:0580-1)"},{"cve":"CVE-2021-23991","qid":"940242","title":"AlmaLinux Security Update for thunderbird (ALSA-2021:1193)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-23991","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Thunderbird","version":{"version_data":[{"version_value":"78.9.1","version_affected":"<"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2021-13/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-13/"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1673240","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1673240"}]},"description":{"description_data":[{"lang":"eng","value":"If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice's key with an invalid subkey, Thunderbird might subsequently attempt to use the invalid subkey, and will fail to send encrypted email to Alice. This vulnerability affects Thunderbird < 78.9.1."}]}},"nvd":{"publishedDate":"2021-06-24 14:15:00","lastModifiedDate":"2021-07-08 15:50:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":6.8,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.6,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:H/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"HIGH","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":4.9,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"78.9.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"23991","Ordinal":"198747","Title":"CVE-2021-23991","CVE":"CVE-2021-23991","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"23991","Ordinal":"1","NoteData":"If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice's key with an invalid subkey, Thunderbird might subsequently attempt to use the invalid subkey, and will fail to send encrypted email to Alice. This vulnerability affects Thunderbird < 78.9.1.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"23991","Ordinal":"2","NoteData":"2021-06-24","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"23991","Ordinal":"3","NoteData":"2021-06-24","Type":"Other","Title":"Modified"}]}}}