Vulnerability CVE-2021-29969: Information

Description

If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect information, for example the attacker could have tricked Thunderbird to show folders that didn't exist on the IMAP server. This vulnerability affects Thunderbird < 78.12.

Severity: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-29969
Published: Aug. 5, 2021
Modified: Dec. 9, 2022
Error type identifier: CWE-552

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
thunderbirdsisyphus78.12.0-alt1115.9.0-alt1ALT-PU-2021-2233-1278867Fixed
thunderbirdp1078.12.0-alt1115.9.0-alt1ALT-PU-2021-2233-1278867Fixed
thunderbirdp978.12.0-alt0.p9.1102.11.0-alt0.c9.1ALT-PU-2021-2255-1278884Fixed
thunderbirdc10f178.12.0-alt1115.9.0-alt0.c10.1ALT-PU-2021-2233-1278867Fixed
thunderbirdc9f278.12.0-alt0.c9.1102.11.0-alt0.c9.1ALT-PU-2021-2248-1278908Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://www.mozilla.org/security/advisories/mfsa2021-30/
  • Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1682370
  • Issue Tracking
  • Permissions Required
  • Vendor Advisory
GLSA-202208-14
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
      End excliding
      78.12
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.1
Back to top