PT-2021-2750 · Mozilla+7 · Thunderbird+7

Kai Engert

Published

2021-04-19

Updated

2024-06-15

CVE-2021-29948

CVSS v2.0

6.0

Medium

Vector

AV:L/AC:H/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 78.10

Description: The issue is caused by a synchronization error when using a shared resource, which might be subject to a race condition when a malicious local process or user is replacing a file. This could allow a remote attacker to bypass existing security restrictions. Signatures are written to disk before and read during verification, which can be exploited.

Recommendations: For versions prior to 78.10, update to version 78.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the file system to minimize the risk of exploitation. Avoid using shared resources until the issue is resolved.

Exploit

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362

Related Identifiers

ALT-PU-2021-1804

ALT-PU-2021-1886

ALT-PU-2021-1892

BDU:2021-02286

CESA-2021_1353

CVE-2021-29948

DLA-2632-1

DSA-4897-1

MGASA-2021-0198

OPENSUSE-SU-2021:0644-1

OPENSUSE-SU-2021_0644-1

OPENSUSE-SU-2024:10601-1

RHSA-2021:1350

RHSA-2021:1351

RHSA-2021:1352

RHSA-2021:1353

RHSA-2021_1350

RHSA-2021_1353

SUSE-SU-2021:1432-1

USN-4995-1

USN-4995-2

Affected Products

Alt Linux

Astra Linux

Centos

Linuxmint

Red Hat

Suse

Thunderbird

Ubuntu

PT-2021-2750 · Mozilla+7 · Thunderbird+7

CVE-2021-29948

Weakness Enumeration

Related Identifiers

Affected Products

References · 452