#VU25129 Use of insufficiently random values in Mozilla Thunderbird


Published: 2020-02-11

Vulnerability identifier: #VU25129

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-6792

CWE-ID: CWE-330

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Thunderbird
Client/Desktop applications / Messaging software

Vendor: Mozilla

Description

The vulnerability allows an attacker to gain access to sensitive information.

The vulnerability exists due to an error in the message ID calculation processes that used uninitialized data in addition to the message contents.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 68.0 - 68.4.2, 60.0 - 60.9.1

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2020-07/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for Thunderbird
Gentoo update for Mozilla Thunderbird
CentOS 6 update for thunderbird
CentOS 7 update for thunderbird
Red Hat update for thunderbird
Red Hat update for thunderbird
Red Hat update for thunderbird
Red Hat update for thunderbird
OpenSUSE Linux update for MozillaThunderbird
Debian update for thunderbird