Vulnerability CVE-2021-29956

Vulnerability Name:

CVE-2021-29956 (CCN-201944)

Assigned:

2021-05-17

Published:

2021-05-17

Updated:

2021-06-30

Summary:

OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. This vulnerability affects Thunderbird < 78.10.2.

CVSS v3 Severity:

4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

4.2 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)
3.7 Low (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): High User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-312
CWE-522

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2021-29956

Source: MISC
Type: Exploit, Patch, Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1710290

Source: XF
Type: UNKNOWN
thunderbird-cve202129956-info-disc(201944)

Source: CCN
Type: Mozilla Foundation Security Advisory 2021-22
Security Vulnerabilities fixed in Thunderbird 78.10.2

Source: MISC
Type: Release Notes, Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-22/

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-29956

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:thunderbird:*:*:*:*:*:*:*:* (Version >= 78.8.1 and <= 78.10.1)

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration RedHat 5:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 6:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mozilla:thunderbird:78.10.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:3546	P	libICE6-1.0.8-12.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95176	P	MozillaThunderbird-91.8.0-150200.8.65.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:6037	P	Security update for webkit2gtk3 (Important)	2022-05-16
oval:org.opensuse.security:def:111905	P	MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105478	P	MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:97026	P	nginx-1.14.0-4.24 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:111565	P	Security update for MozillaThunderbird (Moderate)	2021-07-10
oval:com.redhat.rhsa:def:20212263	P	RHSA-2021:2263: thunderbird security update (Important)	2021-06-07
oval:com.redhat.rhsa:def:20212264	P	RHSA-2021:2264: thunderbird security update (Important)	2021-06-07
oval:org.opensuse.security:def:96304	P	Security update for MozillaThunderbird (Moderate)	2021-06-04
oval:org.opensuse.security:def:67126	P	Security update for MozillaThunderbird (Moderate)	2021-06-04
oval:org.opensuse.security:def:102976	P	Security update for MozillaThunderbird (Moderate)	2021-06-04
oval:org.opensuse.security:def:10642	P	Security update for MozillaThunderbird (Moderate)	2021-06-04
oval:org.opensuse.security:def:119782	P	Security update for MozillaThunderbird (Moderate)	2021-06-04
oval:org.opensuse.security:def:70782	P	Security update for MozillaThunderbird (Moderate)	2021-06-04
oval:org.opensuse.security:def:102314	P	Security update for MozillaThunderbird (Moderate)	2021-06-04
oval:org.opensuse.security:def:10677	P	Security update for MozillaThunderbird (Moderate)	2021-06-04
oval:org.opensuse.security:def:70817	P	Security update for MozillaThunderbird (Moderate)	2021-06-04
oval:org.opensuse.security:def:109642	P	Security update for MozillaThunderbird (Moderate)	2021-06-04
oval:org.opensuse.security:def:76194	P	Security update for MozillaThunderbird (Moderate)	2021-06-04

BACK