CVE-2021-38502

Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2.

Published: Nov 3, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-38502
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
mozilla / thunderbird	-	91.2
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x

https://bugzilla.mozilla.org/show_bug.cgi?id=1733366
https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html
https://www.debian.org/security/2022/dsa-5034
https://www.mozilla.org/security/advisories/mfsa2021-47/

Vulnerability Database

CVE-2021-38502