CVE-2021-29950 — Cleartext Storage of Sensitive Info in Mozilla Thunderbird

CWE-312 — Cleartext Storage of Sensitive Info CWE-522 — Insufficiently Protected Credentials8 documents7 sources

Severity

7.5HIGHNVD

OSV4.3

EPSS

0.1%

top 67.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Debian Thunderbird Mozilla Firefox

Timeline

PublishedJun 24

Latest updateMay 24

Description

Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. If the task runs into a failure, the secret key may remain in memory in its unprotected state. This vulnerability affects Thunderbird < 78.8.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶debiandebian/thunderbird< thunderbird 1:78.9.0-1 (bookworm)

▶CVEListV5mozilla/thunderbirdunspecified — 78.8.1

▶NVDmozilla/thunderbird< 78.8.1

▶Debianmozilla/thunderbird< 1:78.9.0-1+3

▶Ubuntumozilla/thunderbird< 1:78.8.1+build1-0ubuntu0.20.04.1

🔴Vulnerability Details

GHSA

GHSA-4ghf-pq62-2jfh: Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task↗2022-05-24

▶

OSV

CVE-2021-29950: Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task↗2021-06-24

▶

OSV

thunderbird vulnerabilities↗2021-05-06

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2021-05-06

▶

Red Hat

Mozilla: Logic issue potentially leaves key material unlocked↗2021-03-08

▶

Debian

CVE-2021-29950: thunderbird - Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, ...↗2021

▶

Mozilla

Mozilla Foundation Security Advisory 2021-17: CVE-2021-29950↗

▶