CVE-2021-38502 — Insufficiently Protected Credentials in Mozilla Thunderbird

CWE-522 — Insufficiently Protected Credentials CWE-319 — Cleartext Transmission of Sensitive Info8 documents7 sources

Severity

5.9MEDIUMNVD

OSV8.8

EPSS

0.5%

top 35.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Debian Thunderbird Debian Linux +1 more

Timeline

PublishedNov 3

Latest updateMay 24

Description

Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages6 packages

▶debiandebian/thunderbird< thunderbird 1:91.2.1-1 (bookworm)

▶CVEListV5mozilla/thunderbirdunspecified — 91.2

▶NVDmozilla/thunderbird< 91.2

▶Debianmozilla/thunderbird< 1:91.4.1-1~deb11u1+3

▶Ubuntumozilla/thunderbird< 1:91.5.0+build1-0ubuntu0.18.04.1+1

Also affects: Debian Linux 10.0, 11.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-wf24-4m95-7wjm: Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection↗2022-05-24

▶

OSV

thunderbird vulnerabilities↗2022-01-21

▶

OSV

CVE-2021-38502: Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection↗2021-11-03

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2022-01-21

▶

Red Hat

Mozilla: Downgrade attack on SMTP STARTTLS connections↗2021-10-06

▶

Debian

CVE-2021-38502: thunderbird - Thunderbird ignored the configuration to require STARTTLS security for an SMTP c...↗2021

▶

Mozilla

Mozilla Foundation Security Advisory 2021-47: CVE-2021-38502↗

▶