CVE-2021-29969Files or Directories Accessible to External Parties in Mozilla Thunderbird

CWE-552Files or Directories Accessible to External PartiesCWE-345Insufficient Verification of Data Authenticity8 documents7 sources
Severity
5.9MEDIUMNVD
EPSS
0.4%
top 39.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla ThunderbirdDebian ThunderbirdMozilla Firefox
Timeline
PublishedAug 5
Latest updateMay 24

Description

If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect information, for example the attacker could have tricked Thunderbird to show folders that didn't exist on the IMAP server. This vulnerability affects Thunderbird < 78.12.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages6 packages

debiandebian/thunderbird< thunderbird 1:78.12.0-1 (bookworm)
CVEListV5mozilla/thunderbirdunspecified78.12
NVDmozilla/thunderbird< 78.12
Debianmozilla/thunderbird< 1:78.12.0-1+3
Ubuntumozilla/thunderbird< 1:78.13.0+build1-0ubuntu0.18.04.1+1

🔴Vulnerability Details

3
GHSA
GHSA-ggp3-c9px-5c4p: If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the ST2022-05-24
OSV
thunderbird vulnerabilities2021-08-31
OSV
CVE-2021-29969: If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the ST2021-08-05

📋Vendor Advisories

4
Ubuntu
Thunderbird vulnerabilities2021-08-31
Red Hat
Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed2021-07-13
Debian
CVE-2021-29969: thunderbird - If Thunderbird was configured to use STARTTLS for an IMAP connection, and an att...2021
Mozilla
Mozilla Foundation Security Advisory 2021-30: CVE-2021-29969