{"containers": {"cna": {"affected": [{"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "91.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2."}], "problemTypes": [{"descriptions": [{"description": "Downgrade attack on SMTP STARTTLS connections", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-04T11:06:32", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-47/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1733366"}, {"name": "DSA-5034", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2022/dsa-5034"}, {"name": "[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2021-38502", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Thunderbird", "version": {"version_data": [{"version_affected": "<", "version_value": "91.2"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Downgrade attack on SMTP STARTTLS connections"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2021-47/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2021-47/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1733366", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1733366"}, {"name": "DSA-5034", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5034"}, {"name": "[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:44:22.910Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-47/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1733366"}, {"name": "DSA-5034", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5034"}, {"name": "[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2021-38502", "datePublished": "2021-11-03T00:02:49", "dateReserved": "2021-08-10T00:00:00", "dateUpdated": "2024-08-04T01:44:22.910Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "0FDD43C9-F32C-409E-B563-BD137C63A7B8", "versionEndExcluding": "91.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2."}, {"lang": "es", "value": "Thunderbird ignor\u00f3 la configuraci\u00f3n para requerir seguridad STARTTLS para una conexi\u00f3n SMTP. Un MITM podr\u00eda llevar a cabo un ataque de degradaci\u00f3n para interceptar los mensajes transmitidos, o podr\u00eda tomar el control de la sesi\u00f3n autenticada para ejecutar los comandos SMTP elegidos por el MITM. Si es configurado un m\u00e9todo de autenticaci\u00f3n no protegido, el MITM podr\u00eda obtener tambi\u00e9n las credenciales de autenticaci\u00f3n. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a 91.2"}], "id": "CVE-2021-38502", "lastModified": "2024-11-21T06:17:15.620", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-03T01:15:07.657", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1733366"}, {"source": "security@mozilla.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html"}, {"source": "security@mozilla.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5034"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-47/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1733366"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5034"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-47/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3841", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:91.2.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2021-10-13T00:00:00Z"}, {"advisory": "RHSA-2021:3838", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:91.2.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-10-13T00:00:00Z"}, {"advisory": "RHSA-2021:3840", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "thunderbird-0:91.2.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2021-10-13T00:00:00Z"}, {"advisory": "RHSA-2021:3839", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "thunderbird-0:91.2.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2021-10-13T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Downgrade attack on SMTP STARTTLS connections", "id": "2013469", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2013469"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-319", "details": ["Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2."], "name": "CVE-2021-38502", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2021-10-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-38502\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-38502"], "threat_severity": "Important"}