{"api_version":"1","generated_at":"2026-04-23T01:32:17+00:00","cve":"CVE-2021-4126","urls":{"html":"https://cve.report/CVE-2021-4126","api":"https://cve.report/api/cve/CVE-2021-4126.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-4126","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-4126"},"summary":{"title":"CVE-2021-4126","description":"When receiving an OpenPGP/MIME signed email message that contains an additional outer MIME message layer, for example a message footer added by a mailing list gateway, Thunderbird only considered the inner signed message for the signature validity. This gave the false impression that the additional contents were also covered by the digital signature. Starting with Thunderbird version 91.4.1, only the signature that belongs to the top level MIME part will be considered for the displayed status. This vulnerability affects Thunderbird < 91.4.1.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2022-12-22 20:15:00","updated_at":"2023-01-04 14:19:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1732310","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1732310","refsource":"MISC","tags":[],"title":"Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-55/","name":"https://www.mozilla.org/security/advisories/mfsa2021-55/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Thunderbird 91.4.1 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-4126","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4126","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"4126","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-4126","qid":"178983","title":"Debian Security Update for thunderbird (DSA 5034-1)"},{"cve":"CVE-2021-4126","qid":"178986","title":"Debian Security Update for thunderbird (DLA 2874-1)"},{"cve":"CVE-2021-4126","qid":"182600","title":"Debian Security Update for thunderbird (CVE-2021-4126)"},{"cve":"CVE-2021-4126","qid":"198641","title":"Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-5248-1)"},{"cve":"CVE-2021-4126","qid":"198643","title":"Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-5246-1)"},{"cve":"CVE-2021-4126","qid":"376199","title":"Mozilla Thunderbird Multiple Vulnerabilities (MFSA2021-55)"},{"cve":"CVE-2021-4126","qid":"502383","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-4126","qid":"505450","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-4126","qid":"751599","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2022:0058-1)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-4126","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Thunderbird","version":{"version_data":[{"version_value":"91.4.1","version_affected":"<"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"OpenPGP signature status doesn't consider additional message content"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2021-55/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-55/"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1732310","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1732310"}]},"description":{"description_data":[{"lang":"eng","value":"When receiving an OpenPGP/MIME signed email message that contains an additional outer MIME message layer, for example a message footer added by a mailing list gateway, Thunderbird only considered the inner signed message for the signature validity. This gave the false impression that the additional contents were also covered by the digital signature. Starting with Thunderbird version 91.4.1, only the signature that belongs to the top level MIME part will be considered for the displayed status. This vulnerability affects Thunderbird < 91.4.1."}]}},"nvd":{"publishedDate":"2022-12-22 20:15:00","lastModifiedDate":"2023-01-04 14:19:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"91.4.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"4126","Ordinal":"223119","Title":"CVE-2021-4126","CVE":"CVE-2021-4126","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"4126","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}