PT-2021-2751 · Mozilla+7 · Thunderbird+7

Wayne Mery

Published

2021-03-08

Updated

2021-07-10

CVE-2021-29950

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 78.8.1

Description: The issue is related to errors in handling OpenPGP cryptographic signatures in the Thunderbird email client. Exploitation of this issue could allow a remote attacker to impact the confidentiality and integrity of protected information. Specifically, Thunderbird fails to protect a secret OpenPGP key before using it for decryption, signing, or key import tasks. If such a task fails, the secret key may remain in memory in its unprotected state.

Recommendations: For versions prior to 78.8.1, update to version 78.8.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of OpenPGP keys in Thunderbird until the update is applied.

Exploit

Fix

Cleartext Storage of Sensitive Information

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312CWE-522

Related Identifiers

ALT-PU-2021-1804

ALT-PU-2021-1886

ALT-PU-2021-1892

BDU:2021-02287

CESA-2021_1192

CESA-2021_1193

CVE-2021-29950

DLA-2609-1

DSA-4876-1

OPENSUSE-SU-2021:1854-1

OPENSUSE-SU-2021_1854-1

RHSA-2021:1190

RHSA-2021:1192

RHSA-2021:1193

RHSA-2021:1201

RHSA-2021_1192

RHSA-2021_1193

SUSE-SU-2021:1854-1

USN-4936-1

Affected Products

Alt Linux

Astra Linux

Centos

Linuxmint

Red Hat

Suse

Thunderbird

Ubuntu

PT-2021-2751 · Mozilla+7 · Thunderbird+7

CVE-2021-29950

Weakness Enumeration

Related Identifiers

Affected Products

References · 36