Insecure Signature Verification

2021-04-1923:09:48

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

JSON

thunderbird does not perform secure signature verification. Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent.

CPENameOperatorVersion
thunderbirdeq78.8.0__1.el8
thunderbirdeq68.3.0__1.el7.centos
thunderbirdeq78.9.0__3.el8
thunderbirdeq31.7.0__1.ael7b_1
thunderbirdeq60.9.0__1.el7.centos
thunderbirdeq60.5.0__1.el8
thunderbirdeq78.9.0__3.el7.centos
thunderbirdeq68.12.0__1.el7.centos
thunderbirdeq68.5.0__1.el7.centos
thunderbirdeq68.2.0__1.el7.centos

Name	Operator	Version
thunderbird	eq	78.8.0__1.el8
thunderbird	eq	68.3.0__1.el7.centos
thunderbird	eq	78.9.0__3.el8
thunderbird	eq	31.7.0__1.ael7b_1
thunderbird	eq	60.9.0__1.el7.centos
thunderbird	eq	60.5.0__1.el8
thunderbird	eq	78.9.0__3.el7.centos
thunderbird	eq	68.12.0__1.el7.centos
thunderbird	eq	68.5.0__1.el7.centos
thunderbird	eq	68.2.0__1.el7.centos