CVE-2021-38502
First published: Wed Oct 06 2021(Updated: )
Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Thunderbird | <91.2 | 91.2 |
| <91.2 | 91.2 | |
| Mozilla Thunderbird | <91.2 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| debian/thunderbird | 1:91.12.0-1~deb10u1 1:115.3.1-1~deb10u1 1:102.13.1-1~deb11u1 1:115.3.1-1~deb11u1 1:102.15.1-1~deb12u1 1:115.3.1-1~deb12u1 1:115.3.1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1733366
- https://www.mozilla.org/en-US/security/advisories/mfsa2021-47/
- https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html
- https://www.debian.org/security/2022/dsa-5034
- https://www.mozilla.org/security/advisories/mfsa2021-47/
- https://www.mozilla.org/en-US/security/advisories/mfsa2021-47/#CVE-2021-38502
- https://security-tracker.debian.org/tracker/CVE-2021-38502
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is CVE-2021-38502?
CVE-2021-38502 is a vulnerability in Thunderbird where it ignored the configuration to require STARTTLS security for an SMTP connection, allowing for a MITM downgrade attack and interception of transmitted messages.
How does CVE-2021-38502 affect Thunderbird?
CVE-2021-38502 affects Thunderbird versions up to 91.2, allowing for a MITM downgrade attack on SMTP connections.
How does CVE-2021-38502 affect Debian Linux?
CVE-2021-38502 affects Debian Linux versions 9.0, 10.0, and 11.0, where Thunderbird versions up to 91.2 are vulnerable.
What is the severity of CVE-2021-38502?
CVE-2021-38502 has a high severity rating of 5.9.
How can I fix CVE-2021-38502 in Thunderbird?
To fix CVE-2021-38502 in Thunderbird, update to version 91.2 or later.
- collector/security-tracker-debian
- collector/nvd-index
- collector/mozilla-advisory
- vendor/mozilla
- vendor/thunderbird
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/references
- agent/author
- agent/severity
- agent/description
- source/Mozilla
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- canonical/mozilla thunderbird
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0