PT-2020-13101 · Mozilla+6 · Thunderbird+6

Damian Poddebniak

Published

2020-06-02

Updated

2024-06-15

CVE-2020-12398

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 68.9.0

Description The issue arises when Thunderbird is configured to use STARTTLS for an IMAP server and the server sends a PREAUTH response. In this scenario, Thunderbird continues with an unencrypted connection, resulting in email data being sent without protection.

Recommendations For versions prior to 68.9.0, update to version 68.9.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of STARTTLS for IMAP servers until a patch is applied. Restrict access to sensitive email data to minimize the risk of exploitation. Avoid using unencrypted connections for email data transfer until the issue is resolved.

Fix

Cleartext Transmission of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-319

Related Identifiers

ALT-PU-2020-2102

ALT-PU-2020-2150

CESA-2020_2613

CESA-2020_2614

CESA-2020_2615

CVE-2020-12398

DLA-2247-1

DSA-4702-1

MGASA-2020-0300

OPENSUSE-SU-2020:0799-1

OPENSUSE-SU-2020_0799-1

OPENSUSE-SU-2024:10601-1

RHSA-2020:2611

RHSA-2020:2613

RHSA-2020:2614

RHSA-2020:2615

RHSA-2020:2616

RHSA-2020_2613

RHSA-2020_2614

RHSA-2020_2615

SUSE-SU-2020:1591-1

SUSE-SU-2020:1591-2

USN-4421-1

Affected Products

Alt Linux

Centos

Linuxmint

Red Hat

Suse

Thunderbird

Ubuntu

PT-2020-13101 · Mozilla+6 · Thunderbird+6

CVE-2020-12398

Weakness Enumeration

Related Identifiers

Affected Products

References · 436