PT-2020-19226 · Mozilla+5 · Thunderbird+5

Jurgen Gaeremyn

·

Published

2020-02-11

·

Updated

2024-06-15

·

CVE-2020-6794

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 68.5
Description The issue arises when a user saves passwords before Thunderbird 60 and then sets a master password later. The older stored password file remains unencrypted and accessible because it was not deleted when the data was migrated to a new format in Thunderbird 60. The master password is applied only to the new file, potentially exposing stored password data in a way that users do not expect.
Recommendations For Thunderbird versions prior to 68.5, update to version 68.5 or later to resolve the issue.

Exploit

Fix

Cleartext Storage of Sensitive Information

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-459CWE-312CWE-522

Related Identifiers

ALT-PU-2020-1182
ALT-PU-2020-1515
CESA-2020_0574
CESA-2020_0576
CESA-2020_0577
CVE-2020-6794
DLA-2104-1
DSA-4625-1
MGASA-2020-0091
OPENSUSE-SU-2020:0231-1
OPENSUSE-SU-2020_0231-1
OPENSUSE-SU-2024:10601-1
RHSA-2020:0565
RHSA-2020:0574
RHSA-2020:0576
RHSA-2020:0577
RHSA-2020_0574
RHSA-2020_0576
RHSA-2020_0577
SUSE-SU-2020:0385-1
USN-4328-1
USN-4335-1

Affected Products

Alt Linux
Centos
Red Hat
Suse
Thunderbird
Ubuntu