{"api_version":"1","generated_at":"2026-04-23T04:10:41+00:00","cve":"CVE-2021-23992","urls":{"html":"https://cve.report/CVE-2021-23992","api":"https://cve.report/api/cve/CVE-2021-23992.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-23992","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-23992"},"summary":{"title":"CVE-2021-23992","description":"Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. This vulnerability affects Thunderbird < 78.9.1.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2021-06-24 14:15:00","updated_at":"2021-07-08 15:47:00"},"problem_types":["CWE-347"],"metrics":[],"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1666236","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1666236","refsource":"MISC","tags":[],"title":"Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-13/","name":"https://www.mozilla.org/security/advisories/mfsa2021-13/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Thunderbird 78.9.1 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-23992","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23992","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"23992","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-23992","qid":"159147","title":"Oracle Enterprise Linux Security Update for thunderbird (ELSA-2021-1192)"},{"cve":"CVE-2021-23992","qid":"159148","title":"Oracle Enterprise Linux Security Update for thunderbird (ELSA-2021-1193)"},{"cve":"CVE-2021-23992","qid":"178561","title":"Debian Security Update for thunderbird (DSA 4897-1)"},{"cve":"CVE-2021-23992","qid":"178644","title":"Debian Security Update for thunderbird (DLA 2632-1)"},{"cve":"CVE-2021-23992","qid":"180183","title":"Debian Security Update for thunderbird (CVE-2021-23992)"},{"cve":"CVE-2021-23992","qid":"198415","title":"Ubuntu Security Notification for Thunderbird vulnerabilities (USN-4995-1)"},{"cve":"CVE-2021-23992","qid":"198424","title":"Ubuntu Security Notification for Thunderbird vulnerabilities (USN-4995-2)"},{"cve":"CVE-2021-23992","qid":"239221","title":"Red Hat Update for thunderbird (RHSA-2021:1201)"},{"cve":"CVE-2021-23992","qid":"239223","title":"Red Hat Update for thunderbird (RHSA-2021:1193)"},{"cve":"CVE-2021-23992","qid":"239224","title":"Red Hat Update for thunderbird (RHSA-2021:1192)"},{"cve":"CVE-2021-23992","qid":"239225","title":"Red Hat Update for thunderbird (RHSA-2021:1190)"},{"cve":"CVE-2021-23992","qid":"257078","title":"CentOS Security Update for thunderbird (CESA-2021:1192)"},{"cve":"CVE-2021-23992","qid":"296068","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 34.94.4 Missing (CPUAPR2021)"},{"cve":"CVE-2021-23992","qid":"352368","title":"Amazon Linux Security Advisory for thunderbird: ALAS2-2021-1644"},{"cve":"CVE-2021-23992","qid":"375465","title":"Mozilla Thunderbird Multiple Vulnerabilities (MFSA2021-13)"},{"cve":"CVE-2021-23992","qid":"750260","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2021:0580-1)"},{"cve":"CVE-2021-23992","qid":"940242","title":"AlmaLinux Security Update for thunderbird (ALSA-2021:1193)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-23992","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Thunderbird","version":{"version_data":[{"version_value":"78.9.1","version_affected":"<"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"A crafted OpenPGP key with an invalid user ID could be used to confuse the user"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2021-13/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-13/"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1666236","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1666236"}]},"description":{"description_data":[{"lang":"eng","value":"Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. This vulnerability affects Thunderbird < 78.9.1."}]}},"nvd":{"publishedDate":"2021-06-24 14:15:00","lastModifiedDate":"2021-07-08 15:47:00","problem_types":["CWE-347"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"78.9.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"23992","Ordinal":"198748","Title":"CVE-2021-23992","CVE":"CVE-2021-23992","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"23992","Ordinal":"1","NoteData":"Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. This vulnerability affects Thunderbird < 78.9.1.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"23992","Ordinal":"2","NoteData":"2021-06-24","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"23992","Ordinal":"3","NoteData":"2021-06-24","Type":"Other","Title":"Modified"}]}}}