CVE-2021-29956Cleartext Storage of Sensitive Info in Mozilla Thunderbird

CWE-312Cleartext Storage of Sensitive InfoCWE-522Insufficiently Protected Credentials10 documents7 sources
Severity
4.3MEDIUMNVD
OSV7.4
EPSS
0.1%
top 67.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla ThunderbirdDebian ThunderbirdMozilla Firefox
Timeline
PublishedJun 24
Latest updateMay 24

Description

OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. This vulnerability affects Thunderbird < 78.10.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages6 packages

debiandebian/thunderbird< thunderbird 1:78.10.2-1 (bookworm)
CVEListV5mozilla/thunderbirdunspecified78.10.2
Debianmozilla/thunderbird< 1:78.10.2-1+3
Ubuntumozilla/thunderbird< 1:78.11.0+build1-0ubuntu0.18.04.2+1
NVDmozilla/thunderbird78.8.178.10.1

Patches

Patch: bugzilla.mozilla.orgPatch: bugzilla.mozilla.org

🔴Vulnerability Details

4
GHSA
GHSA-vxjm-jch6-9qr5: OpenPGP secret keys that were imported using Thunderbird version 782022-05-24
OSV
thunderbird vulnerabilities2021-06-25
OSV
CVE-2021-29956: OpenPGP secret keys that were imported using Thunderbird version 782021-06-24
OSV
thunderbird vulnerabilities2021-06-22

📋Vendor Advisories

5
Ubuntu
Thunderbird vulnerabilities2021-06-25
Ubuntu
Thunderbird vulnerabilities2021-06-22
Red Hat
Mozilla: Thunderbird stored OpenPGP secret keys without master password protection2021-05-17
Debian
CVE-2021-29956: thunderbird - OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to ve...2021
Mozilla
Mozilla Foundation Security Advisory 2021-22: CVE-2021-29956