CVE-2020-12398 — Cleartext Transmission of Sensitive Info in Mozilla Thunderbird
Severity
7.5HIGHNVD
EPSS
0.3%
top 50.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJul 9
Latest updateMay 24
Description
If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection. This vulnerability affects Thunderbird < 68.9.0.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages4 packages
Also affects: Ubuntu Linux 16.04, 18.04, 19.10, 20.04
🔴Vulnerability Details
4GHSA▶
GHSA-jvxv-vphc-73rg: If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unenc↗2022-05-24
CVEList▶
CVE-2020-12398: If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unenc↗2020-07-09
OSV▶
CVE-2020-12398: If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unenc↗2020-07-09
📋Vendor Advisories
4Debian▶
CVE-2020-12398: thunderbird - If Thunderbird is configured to use STARTTLS for an IMAP server, and the server ...↗2020
💬Community
1Bugzilla▶
CVE-2020-12398 Mozilla: Security downgrade with IMAP STARTTLS leads to information leakage↗2020-06-11