Vulnerability CVE-2020-6792

Vulnerability Name:

CVE-2020-6792 (CCN-176082)

Assigned:

2020-02-11

Published:

2020-02-11

Updated:

2022-01-01

Summary:

When deriving an identifier for an email message, uninitialized memory was used in addition to the message contents. This vulnerability affects Thunderbird < 68.5.

CVSS v3 Severity:

4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

4.3 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
3.8 Low (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-908
CWE-909
CWE-456

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2020-6792

Source: MISC
Type: Issue Tracking, Permissions Required
https://bugzilla.mozilla.org/show_bug.cgi?id=1609607

Source: XF
Type: UNKNOWN
thunderbird-cve20206792-sec-bypass(176082)

Source: GENTOO
Type: Third Party Advisory
GLSA-202003-10

Source: UBUNTU
Type: Third Party Advisory
USN-4328-1

Source: UBUNTU
Type: Third Party Advisory
USN-4335-1

Source: CCN
Type: Mozilla Foundation Security Advisory 2020-07
Security Vulnerabilities fixed in Thunderbird 68.5

Source: MISC
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-07/

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:thunderbird:*:*:*:*:*:*:*:* (Version < 68.5.0)

Configuration 2:

cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

OR cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 7:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 8:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration RedHat 9:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 10:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:645	P	Security update for php7 (Moderate) (in QA)	2022-10-04
oval:org.opensuse.security:def:20206792	V	CVE-2020-6792	2022-08-07
oval:org.opensuse.security:def:95176	P	MozillaThunderbird-91.8.0-150200.8.65.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:3546	P	MozillaThunderbird-91.8.0-150200.8.65.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:111905	P	MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:69561	P	Security update for webkit2gtk3 (Important)	2021-11-23
oval:org.opensuse.security:def:51694	P	Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)	2021-11-19
oval:org.opensuse.security:def:105478	P	MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:66933	P	Security update for gd (Moderate)	2021-09-27
oval:org.opensuse.security:def:74732	P	Security update for hivex (Moderate)	2021-09-23
oval:org.opensuse.security:def:63233	P	rarpd-s20161105-6.10 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:70289	P	Security update for libesmtp (Important)	2021-09-03
oval:org.opensuse.security:def:63436	P	libpcap1-32bit-1.8.1-4.3.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101020	P	minicom-2.7.1-1.19 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62762	P	imlib2-loaders-1.4.10-1.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62734	P	bluez-devel-5.55-1.57 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62730	P	PackageKit-1.1.13-4.20.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62737	P	emacs-x11-25.3-3.6.51 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1773	P	Security update for MozillaThunderbird (Important)	2021-07-22
oval:org.opensuse.security:def:64545	P	Security update for the Linux Kernel (Important)	2021-07-14
oval:org.opensuse.security:def:66841	P	Security update for freeradius-server (Moderate)	2021-06-23
oval:org.opensuse.security:def:69666	P	Security update for MozillaFirefox (Important)	2021-06-09
oval:org.opensuse.security:def:93410	P	(Important)	2021-06-08
oval:org.opensuse.security:def:5712	P	Security update for ceph (Important)	2021-06-02
oval:org.opensuse.security:def:73624	P	Security update for graphviz (Critical)	2021-05-19
oval:org.opensuse.security:def:5680	P	Security update for libxml2 (Moderate)	2021-05-05
oval:org.opensuse.security:def:64487	P	Security update for bind (Important)	2021-05-04
oval:org.opensuse.security:def:51178	P	Security update for compat-openssl098 (Moderate)	2021-03-16
oval:org.opensuse.security:def:64657	P	Security update for glibc (Important)	2021-02-26
oval:org.opensuse.security:def:51588	P	Security update for ImageMagick (Important)	2021-01-22
oval:org.opensuse.security:def:64278	P	Security update for clamav (Moderate)	2020-12-14
oval:org.opensuse.security:def:51860	P	Security update for python (Important)	2020-12-11
oval:org.opensuse.security:def:64277	P	Security update for gcc7 (Moderate)	2020-12-10
oval:org.opensuse.security:def:63604	P	MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62940	P	cargo-1.36.0-7.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107686	P	MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:94307	P	MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63583	P	libavcodec-devel-3.4.2-4.12.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2515	P	MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4727	P	Security update for salt (Critical)	2020-12-02
oval:org.opensuse.security:def:4862	P	Security update for freeradius-server (Moderate)	2020-12-02
oval:org.opensuse.security:def:4847	P	Security update for dovecot23 (Important)	2020-12-02
oval:org.opensuse.security:def:5042	P	Security update for rubygem-actionpack-5_1 (Moderate)	2020-12-02
oval:org.opensuse.security:def:4801	P	Security update for squid (Important)	2020-12-02
oval:org.opensuse.security:def:5029	P	Security update for the Linux Kernel (Important)	2020-12-02
oval:org.opensuse.security:def:4755	P	Security update for spice-gtk (Important)	2020-12-02
oval:org.opensuse.security:def:5021	P	Security update for php7 (Moderate)	2020-12-02
oval:org.opensuse.security:def:4980	P	Security update for nodejs8 (Moderate)	2020-12-02
oval:org.opensuse.security:def:4735	P	Security update for the Linux Kernel (Important)	2020-12-02
oval:org.opensuse.security:def:5013	P	Security update for nodejs8 (Important)	2020-12-02
oval:org.opensuse.security:def:4955	P	Security update for mariadb (Moderate)	2020-12-02
oval:org.opensuse.security:def:4881	P	Security update for squid (Important)	2020-12-02
oval:org.opensuse.security:def:51040	P	Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork (Moderate)	2020-12-01
oval:org.opensuse.security:def:52344	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:52144	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:50214	P	MozillaThunderbird on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:72901	P	Security update for php7 (Important)	2020-12-01
oval:org.opensuse.security:def:51018	P	Security update for postgresql12 (Important)	2020-12-01
oval:org.opensuse.security:def:73019	P	Security update for MozillaThunderbird (Important)	2020-12-01
oval:org.opensuse.security:def:50160	P	libpskc-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:51017	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:53885	P	Security update for MozillaThunderbird (Important)	2020-12-01
oval:org.opensuse.security:def:73506	P	jcl-over-slf4j on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64385	P	libsoup-2_4-1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64141	P	Security update for java-1_8_0-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:53811	P	Security update for LibVNCServer (Important)	2020-12-01
oval:org.opensuse.security:def:52535	P	Security update for pdsh, slurm_18_08 (Moderate)	2020-12-01
oval:org.opensuse.security:def:66330	P	Security update for MozillaThunderbird (Important)	2020-12-01
oval:org.opensuse.security:def:63812	P	Security update for python3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:70184	P	osc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:51416	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:52454	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:66238	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:74599	P	Security update for roundcubemail (Moderate)	2020-12-01
oval:org.opensuse.security:def:52417	P	Security update for apache2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:52252	P	Security update for zeromq (Moderate)	2020-12-01
oval:org.opensuse.security:def:99901	P	(Important)	2020-10-29
oval:com.ubuntu.bionic:def:202067920000000	V	CVE-2020-6792 on Ubuntu 18.04 LTS (bionic) - low.	2020-03-02
oval:com.ubuntu.xenial:def:202067920000000	V	CVE-2020-6792 on Ubuntu 16.04 LTS (xenial) - low.	2020-03-02
oval:com.redhat.rhsa:def:20200576	P	RHSA-2020:0576: thunderbird security update (Important)	2020-02-24
oval:com.redhat.rhsa:def:20200577	P	RHSA-2020:0577: thunderbird security update (Important)	2020-02-24
oval:com.redhat.rhsa:def:20200574	P	RHSA-2020:0574: thunderbird security update (Important)	2020-02-24
oval:org.opensuse.security:def:110383	P	Security update for MozillaThunderbird (Important)	2020-02-18

BACK