CVE-2021-29969 Information

Description

If Thunderbird was configured to use STARTTLS for an IMAP connection and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake then Thunderbird didn’t ignore the injected data. This could have resulted in Thunderbird showing incorrect information for example the attacker could have tricked Thunderbird to show folders that didn’t exist on the IMAP server. This vulnerability affects Thunderbird < 78.12.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://www.mozilla.org/security/advisories/mfsa2021-30/ https://bugzilla.mozilla.org/show_bug.cgi?id=1682370

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.9