Vulnerability Description
Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Thunderbird | < 91.2 |
| Debian | Debian Linux | 9.0 |
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1733366Issue TrackingPermissions RequiredVendor Advisory
- https://lists.debian.org/debian-lts-announce/2022/01/msg00001.htmlMailing ListThird Party Advisory
- https://www.debian.org/security/2022/dsa-5034Issue TrackingThird Party Advisory
- https://www.mozilla.org/security/advisories/mfsa2021-47/Vendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1733366Issue TrackingPermissions RequiredVendor Advisory
- https://lists.debian.org/debian-lts-announce/2022/01/msg00001.htmlMailing ListThird Party Advisory
- https://www.debian.org/security/2022/dsa-5034Issue TrackingThird Party Advisory
- https://www.mozilla.org/security/advisories/mfsa2021-47/Vendor Advisory
FAQ
What is CVE-2021-38502?
CVE-2021-38502 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authe...
How severe is CVE-2021-38502?
CVE-2021-38502 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-38502?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Thunderbird, Debian Debian Linux.