CVE-2021-23993
Publication date 13 April 2021
Last updated 24 July 2024
Ubuntu priority
An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent. If an attacker creates a crafted OpenPGP key with a subkey that has an invalid self signature, and the Thunderbird user imports the crafted key, then Thunderbird may try to use the invalid subkey, but the RNP library rejects it from being used, causing encryption to fail. This vulnerability affects Thunderbird < 78.9.1.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| thunderbird | ||
| 22.04 LTS jammy |
Fixed 1:78.11.0+build1-0ubuntu2
|
|
| 20.04 LTS focal |
Fixed 1:78.11.0+build1-0ubuntu0.20.04.2
|
|
| 18.04 LTS bionic |
Fixed 1:78.11.0+build1-0ubuntu0.18.04.2
|
|
| 16.04 LTS xenial | Ignored end of standard support, was needs-triage | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-4995-1
- Thunderbird vulnerabilities
- 22 June 2021
- USN-4995-2
- Thunderbird vulnerabilities
- 25 June 2021