Information Disclosure

2020-12-0603:48:50

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

JSON

Thunderbird is vulnerable to information disclosure. An attacker is able to intercepts Thunderbird’s initial attempt to perform automatic account setup using the Microsoft Exchange autodiscovery mechanism, and sends a crafted response, of which Thunderbird will responds with username and password over https to a server controlled by the attacker.

CPENameOperatorVersion
thunderbird:bustereq1:60.9.0-1~deb10u1
thunderbird:stretcheq1:60.9.0-1~deb9u1
thunderbird:stretcheq1:52.9.1-1~deb9u1
thunderbirdeq60.5.0__1.el6.centos
thunderbirdeq24.8.0__1.el6_5
thunderbirdeq68.4.1__2.el6.centos
thunderbirdeq60.9.0__1.el7.centos
thunderbirdeq60.8.0__1.el6.centos
thunderbirdeq31.2.0__3.el6_6
thunderbirdeq68.9.0__1.el6.centos

Name	Operator	Version
thunderbird:buster	eq	1:60.9.0-1~deb10u1
thunderbird:stretch	eq	1:60.9.0-1~deb9u1
thunderbird:stretch	eq	1:52.9.1-1~deb9u1
thunderbird	eq	60.5.0__1.el6.centos
thunderbird	eq	24.8.0__1.el6_5
thunderbird	eq	68.4.1__2.el6.centos
thunderbird	eq	60.9.0__1.el7.centos
thunderbird	eq	60.8.0__1.el6.centos
thunderbird	eq	31.2.0__3.el6_6
thunderbird	eq	68.9.0__1.el6.centos