CVE-2021-29948 — Race Condition in Mozilla Thunderbird

CWE-362 — Race Condition CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition10 documents7 sources

Severity

2.5LOWNVD

OSV7.4

EPSS

0.1%

top 78.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Debian Thunderbird Mozilla Firefox

Timeline

PublishedJun 24

Latest updateMay 24

Description

Signatures are written to disk before and read during verification, which might be subject to a race condition when a malicious local process or user is replacing the file. This vulnerability affects Thunderbird < 78.10.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.0 | Impact: 1.4

Affected Packages6 packages

▶debiandebian/thunderbird< thunderbird 1:78.10.0-1 (bookworm)

▶CVEListV5mozilla/thunderbirdunspecified — 78.10

▶NVDmozilla/thunderbird< 78.10

▶Debianmozilla/thunderbird< 1:78.10.0-1+3

▶Ubuntumozilla/thunderbird< 1:78.11.0+build1-0ubuntu0.18.04.2+1

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-7h9q-985f-8xvm: Signatures are written to disk before and read during verification, which might be subject to a race condition when a malicious local process or user↗2022-05-24

▶

OSV

thunderbird vulnerabilities↗2021-06-25

▶

OSV

CVE-2021-29948: Signatures are written to disk before and read during verification, which might be subject to a race condition when a malicious local process or user↗2021-06-24

▶

OSV

thunderbird vulnerabilities↗2021-06-22

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2021-06-25

▶

Ubuntu

Thunderbird vulnerabilities↗2021-06-22

▶

Red Hat

Mozilla: Race condition when reading from disk while verifying signatures↗2021-04-19

▶

Debian

CVE-2021-29948: thunderbird - Signatures are written to disk before and read during verification, which might ...↗2021

▶

Mozilla

Mozilla Foundation Security Advisory 2021-14: CVE-2021-29948↗

▶