CVE-2021-29969
First published: Tue Jul 13 2021(Updated: )
If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect information, for example the attacker could have tricked Thunderbird to show folders that didn't exist on the IMAP server.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Thunderbird | <78.12 | 78.12 |
| <78.12 | 78.12 | |
| Mozilla Thunderbird | <78.12 | |
| debian/thunderbird | 1:91.12.0-1~deb10u1 1:115.3.1-1~deb10u1 1:102.13.1-1~deb11u1 1:115.3.1-1~deb11u1 1:102.15.1-1~deb12u1 1:115.3.1-1~deb12u1 1:115.3.1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1682370
- https://www.mozilla.org/en-US/security/advisories/mfsa2021-30/
- https://security.gentoo.org/glsa/202208-14
- https://www.mozilla.org/security/advisories/mfsa2021-30/
- https://www.mozilla.org/en-US/security/advisories/mfsa2021-30/#CVE-2021-29969
- https://security-tracker.debian.org/tracker/CVE-2021-29969
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- collector/security-tracker-debian
- collector/nvd-index
- collector/mozilla-advisory
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/references
- agent/softwarecombine
- source/Mozilla
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/author
- agent/tags
- agent/event
- agent/description
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/mozilla
- canonical/mozilla thunderbird