A crafted OpenPGP key with an invalid user ID could be used to confuse the user in Mozilla Thunderbird - CVE-2021-23992ID: oval:org.secpod.oval:def:91739 | Date: (C)2023-08-07 (M)2023-11-18 |
Class: VULNERABILITY | Family: windows |
Mozilla Thunderbird before 78.9.1: Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent.
Platform: |
Microsoft Windows 7 |
Microsoft Windows 8.1 |
Microsoft Windows 10 |
Microsoft Windows Server 2008 |
Microsoft Windows Server 2008 R2 |
Microsoft Windows Server 2012 |
Microsoft Windows Server 2012 R2 |
Microsoft Windows Server 2016 |
Microsoft Windows Server 2019 |
Microsoft Windows 11 |
Microsoft Windows Server 2022 |
Microsoft Windows Server |
Product: |
Mozilla Thunderbird |