Vulnerability CVE-2020-6794

Vulnerability Name:

CVE-2020-6794 (CCN-176080)

Assigned:

2020-02-11

Published:

2020-02-11

Updated:

2022-01-01

Summary:

If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Thunderbird < 68.5.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

6.1 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-312
CWE-459
CWE-522

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2020-6794

Source: MISC
Type: Exploit, Issue Tracking, Patch, Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1606619

Source: XF
Type: UNKNOWN
thunderbird-cve20206794-info-disc(176080)

Source: GENTOO
Type: Third Party Advisory
GLSA-202003-10

Source: UBUNTU
Type: Third Party Advisory
USN-4328-1

Source: UBUNTU
Type: Third Party Advisory
USN-4335-1

Source: CCN
Type: Mozilla Foundation Security Advisory 2020-07
Security Vulnerabilities fixed in Thunderbird 68.5

Source: MISC
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-07/

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:thunderbird:*:*:*:*:*:*:*:* (Version < 68.5.0)

Configuration 2:

cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

OR cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 7:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 8:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration RedHat 9:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 10:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:645	P	Security update for php7 (Moderate) (in QA)	2022-10-04
oval:org.opensuse.security:def:20206794	V	CVE-2020-6794	2022-09-02
oval:org.opensuse.security:def:4735	P	Security update for crash (Important)	2022-07-28
oval:org.opensuse.security:def:4755	P	Security update for openssl-1_0_0 (Moderate)	2022-06-28
oval:org.opensuse.security:def:3546	P	libICE6-1.0.8-12.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95176	P	MozillaThunderbird-91.8.0-150200.8.65.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:111905	P	MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:69561	P	Security update for webkit2gtk3 (Important)	2021-11-23
oval:org.opensuse.security:def:51694	P	Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)	2021-11-19
oval:org.opensuse.security:def:105478	P	MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:66933	P	Security update for gd (Moderate)	2021-09-27
oval:org.opensuse.security:def:4727	P	Security update for the Linux Kernel (Important)	2021-09-23
oval:org.opensuse.security:def:74732	P	Security update for hivex (Moderate)	2021-09-23
oval:org.opensuse.security:def:63233	P	rarpd-s20161105-6.10 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:70289	P	Security update for libesmtp (Important)	2021-09-03
oval:org.opensuse.security:def:63436	P	libpcap1-32bit-1.8.1-4.3.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101020	P	minicom-2.7.1-1.19 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62762	P	imlib2-loaders-1.4.10-1.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62734	P	bluez-devel-5.55-1.57 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62730	P	PackageKit-1.1.13-4.20.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62737	P	emacs-x11-25.3-3.6.51 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1773	P	Security update for MozillaThunderbird (Important)	2021-07-22
oval:org.opensuse.security:def:64545	P	Security update for the Linux Kernel (Important)	2021-07-14
oval:org.opensuse.security:def:66841	P	Security update for freeradius-server (Moderate)	2021-06-23
oval:org.opensuse.security:def:69666	P	Security update for MozillaFirefox (Important)	2021-06-09
oval:org.opensuse.security:def:93410	P	(Important)	2021-06-08
oval:org.opensuse.security:def:5712	P	Security update for ceph (Important)	2021-06-02
oval:org.opensuse.security:def:5042	P	Security update for hivex (Moderate)	2021-05-26
oval:org.opensuse.security:def:73624	P	Security update for graphviz (Critical)	2021-05-19
oval:org.opensuse.security:def:5680	P	Security update for libxml2 (Moderate)	2021-05-05
oval:org.opensuse.security:def:64487	P	Security update for bind (Important)	2021-05-04
oval:org.opensuse.security:def:5029	P	Security update for cups (Important)	2021-04-30
oval:org.opensuse.security:def:5013	P	Security update for cifs-utils (Moderate)	2021-04-13
oval:org.opensuse.security:def:51178	P	Security update for compat-openssl098 (Moderate)	2021-03-16
oval:org.opensuse.security:def:64657	P	Security update for glibc (Important)	2021-02-26
oval:org.opensuse.security:def:51588	P	Security update for ImageMagick (Important)	2021-01-22
oval:org.opensuse.security:def:5021	P	Security update for openldap2 (Moderate)	2021-01-14
oval:org.opensuse.security:def:64278	P	Security update for clamav (Moderate)	2020-12-14
oval:org.opensuse.security:def:51860	P	Security update for python (Important)	2020-12-11
oval:org.opensuse.security:def:64277	P	Security update for gcc7 (Moderate)	2020-12-10
oval:org.opensuse.security:def:63604	P	MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62940	P	cargo-1.36.0-7.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:117201	P	MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107686	P	MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:94307	P	MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63583	P	libavcodec-devel-3.4.2-4.12.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2515	P	MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4862	P	Security update for freeradius-server (Moderate)	2020-12-02
oval:org.opensuse.security:def:4847	P	Security update for dovecot23 (Important)	2020-12-02
oval:org.opensuse.security:def:4801	P	Security update for squid (Important)	2020-12-02
oval:org.opensuse.security:def:4980	P	Security update for nodejs8 (Moderate)	2020-12-02
oval:org.opensuse.security:def:4955	P	Security update for mariadb (Moderate)	2020-12-02
oval:org.opensuse.security:def:4881	P	Security update for squid (Important)	2020-12-02
oval:org.opensuse.security:def:51040	P	Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork (Moderate)	2020-12-01
oval:org.opensuse.security:def:52344	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:52144	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:50214	P	MozillaThunderbird on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:72901	P	Security update for php7 (Important)	2020-12-01
oval:org.opensuse.security:def:51018	P	Security update for postgresql12 (Important)	2020-12-01
oval:org.opensuse.security:def:73019	P	Security update for MozillaThunderbird (Important)	2020-12-01
oval:org.opensuse.security:def:50160	P	libpskc-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:51017	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:53885	P	Security update for MozillaThunderbird (Important)	2020-12-01
oval:org.opensuse.security:def:73506	P	jcl-over-slf4j on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64385	P	libsoup-2_4-1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64141	P	Security update for java-1_8_0-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:53811	P	Security update for LibVNCServer (Important)	2020-12-01
oval:org.opensuse.security:def:52535	P	Security update for pdsh, slurm_18_08 (Moderate)	2020-12-01
oval:org.opensuse.security:def:66330	P	Security update for MozillaThunderbird (Important)	2020-12-01
oval:org.opensuse.security:def:63812	P	Security update for python3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:70184	P	osc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:51416	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:52454	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:66238	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:74599	P	Security update for roundcubemail (Moderate)	2020-12-01
oval:org.opensuse.security:def:52417	P	Security update for apache2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:52252	P	Security update for zeromq (Moderate)	2020-12-01
oval:org.opensuse.security:def:99901	P	(Important)	2020-10-29
oval:com.ubuntu.bionic:def:202067940000000	V	CVE-2020-6794 on Ubuntu 18.04 LTS (bionic) - medium.	2020-03-02
oval:com.ubuntu.xenial:def:202067940000000	V	CVE-2020-6794 on Ubuntu 16.04 LTS (xenial) - medium.	2020-03-02
oval:com.redhat.rhsa:def:20200576	P	RHSA-2020:0576: thunderbird security update (Important)	2020-02-24
oval:com.redhat.rhsa:def:20200577	P	RHSA-2020:0577: thunderbird security update (Important)	2020-02-24
oval:com.redhat.rhsa:def:20200574	P	RHSA-2020:0574: thunderbird security update (Important)	2020-02-24
oval:org.opensuse.security:def:110383	P	Security update for MozillaThunderbird (Important)	2020-02-18

BACK