CVE-2021-38502

Name
CVE-2021-38502
Description
Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://bugzilla.mozilla.org/show_bug.cgi?id=1733366
MISC https://www.mozilla.org/security/advisories/mfsa2021-47/
DEBIAN https://www.debian.org/security/2022/dsa-5034
MLIST https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* thunderbird >= None < 91.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status