Description
Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_misc
https://www.mozilla.org/security/advisories/mfsa2021-47/
Issue Tracking, Permissions Required, Vendor Advisory x_refsource_misc
https://bugzilla.mozilla.org/show_bug.cgi?id=1733366
Issue Tracking, Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2022/dsa-5034
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html
Scores
CVSS v3
5.9
EPSS
0.0046
EPSS Percentile
64.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
Status
published
Products (4)
debian/debian_linux
9.0
debian/debian_linux
10.0
debian/debian_linux
11.0
mozilla/thunderbird
< 91.2
Published
Nov 03, 2021
Tracked Since
Feb 18, 2026