PT-2020-5946 · Mozilla+6 · Thunderbird+6

Damian Poddebniak

Published

2020-12-31

Updated

2024-06-15

CVE-2020-15685

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 78.7

Description: The issue is related to insufficient input validation during the STARTTLS connection setup, specifically in the plaintext phase. This could allow protocol commands to be injected and evaluated within the encrypted session, potentially affecting the confidentiality and integrity of protected information.

Recommendations: For versions prior to 78.7, update to version 78.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of the STARTTLS connection setup until a patch is available.

Exploit

Fix

Command Injection

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-94

Related Identifiers

ALT-PU-2021-1160

ALT-PU-2021-1200

ALT-PU-2021-1369

BDU:2021-02078

CESA-2021_0298

CVE-2020-15685

DLA-2541-1

DSA-4842-1

MGASA-2021-0066

OPENSUSE-SU-2021:0208-1

OPENSUSE-SU-2021:0209-1

OPENSUSE-SU-2021_0208-1

OPENSUSE-SU-2021_0209-1

OPENSUSE-SU-2024:10601-1

RHSA-2021:0297

RHSA-2021:0298

RHSA-2021:0299

RHSA-2021:0397

RHSA-2021_0297

RHSA-2021_0298

SUSE-SU-2021:0245-1

SUSE-SU-2021:0257-1

USN-4736-1

Affected Products

Alt Linux

Astra Linux

Centos

Red Hat

Suse

Thunderbird

Ubuntu

PT-2020-5946 · Mozilla+6 · Thunderbird+6

CVE-2020-15685

Weakness Enumeration

Related Identifiers

Affected Products

References · 441