CVE-2020-15646 — Sensitive Information Exposure in Mozilla Thunderbird

CWE-200 — Sensitive Information Exposure CWE-522 — Insufficiently Protected Credentials7 documents7 sources

Severity

5.9MEDIUMNVD

EPSS

0.3%

top 51.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Debian Thunderbird Mozilla Firefox

Timeline

PublishedOct 8

Latest updateMay 24

Description

If an attacker intercepts Thunderbird's initial attempt to perform automatic account setup using the Microsoft Exchange autodiscovery mechanism, and the attacker sends a crafted response, then Thunderbird sends username and password over https to a server controlled by the attacker. This vulnerability affects Thunderbird < 68.10.0.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/thunderbird< thunderbird 1:68.10.0-1 (bookworm)

▶CVEListV5mozilla/thunderbirdunspecified — 68.10.0

▶NVDmozilla/thunderbird< 68.10.0

▶Debianmozilla/thunderbird< 1:68.10.0-1+3

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-4w45-xx62-4547: If an attacker intercepts Thunderbird's initial attempt to perform automatic account setup using the Microsoft Exchange autodiscovery mechanism, and t↗2022-05-24

▶

OSV

CVE-2020-15646: If an attacker intercepts Thunderbird's initial attempt to perform automatic account setup using the Microsoft Exchange autodiscovery mechanism, and t↗2020-10-08

▶

📋Vendor Advisories

Red Hat

Mozilla: Automatic account setup leaks Microsoft Exchange login credentials↗2020-06-30

▶

Debian

CVE-2020-15646: thunderbird - If an attacker intercepts Thunderbird's initial attempt to perform automatic acc...↗2020

▶

Mozilla

Mozilla Foundation Security Advisory 2020-26: CVE-2020-15646↗

▶

💬Community

Bugzilla

CVE-2020-15646 Mozilla: Automatic account setup leaks Microsoft Exchange login credentials↗2020-07-06

▶