CVE-2024-23655: 
Homebrew vulnerability analysis and mitigation

A vulnerability in Tutanota (CVE-2024-23655) allows an attacker to render the application unusable by sending a manipulated email, preventing users from accessing their received emails. The vulnerability was discovered and disclosed on January 25, 2024, affecting versions >=3.118.12 and < 3.119.10. The issue has been patched in version 3.119.10 (GitHub Advisory).

The vulnerability occurs when an attacker sends an email encrypted with a different public key than the recipient's. This can be accomplished by intercepting the server response and replacing the recipient's public key with another. When the victim receives the manipulated email, it triggers an error message and puts the application in an unusable state. The vulnerability has been assigned a CVSS score of 7.5 (High), with attack vector being Network, attack complexity Low, requiring no privileges or user interaction, and primarily affecting availability (GitHub Advisory).

When exploited, the vulnerability prevents users from displaying or reading emails in their inbox. After receiving the manipulated email, users may experience temporary inability to display new mails, move emails, or change certain settings. The audit log is no longer updated, which affects important security actions such as two-factor authentication changes. The impact affects both the mobile app and web application, leaving users with no way to access their received emails (GitHub Advisory).

The vulnerability has been fixed in Tutanota version 3.119.10. Users are advised to upgrade to this version to protect against the vulnerability (GitHub Release).