Main Vulnerability Database Vulnerabilities #VU54829

#VU54829 Command Injection in Mozilla Thunderbird - CVE-2021-29969

Published: July 13, 2021

Vulnerability identifier: #VU54829

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-29969

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Mozilla Thunderbird

Software vendor:
Mozilla

Description

The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists in the way Thunderbird handles IMAP server responses sent prior to STARTTLS process. A remote attacker with ability to perform MitM attack can send arbitrary IMAP commands before the STARTTLS handshake and execute them after the handshake is complete.

This could have resulted in Thunderbird showing incorrect information, for example the attacker could have tricked Thunderbird to show folders that didn't exist on the IMAP server.

Remediation

Install updates from vendor's website.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2021-30/

#VU54829 Command Injection in Mozilla Thunderbird - CVE-2021-29969

Description

Remediation

External links

Please verify you're human