Tuesday, January 25, 2022

Ubuntu: (Multiple Advisories) (CVE-2021-4129): Thunderbird vulnerabilities

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.From USN-5248-1:Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, trick a user into accepting unwanted permissions, conduct header splitting attacks, conduct spoofing attacks, bypass security restrictions, confuse the user, or execute arbitrary code. (CVE-2021-4129,CVE-2021-4140,CVE-2021-29981,CVE-2021-29982, CVE-2021-29987,CVE-2021-29991,CVE-2021-38495,CVE-2021-38496, CVE-2021-38497,CVE-2021-38498,CVE-2021-38500,CVE-2021-38501, CVE-2021-38503,CVE-2021-38504,CVE-2021-38506,CVE-2021-38507, CVE-2021-38508,CVE-2021-38509,CVE-2021-43534,CVE-2021-43535, CVE-2021-43536,CVE-2021-43537,CVE-2021-43538,CVE-2021-43539, CVE-2021-43541,CVE-2021-43542,CVE-2021-43543,CVE-2021-43545, CVE-2021-43656,CVE-2022-22737,CVE-2022-22738,CVE-2022-22739, CVE-2022-22740,CVE-2022-22741,CVE-2022-22742,CVE-2022-22743, CVE-2022-22745,CVE-2022-22747,CVE-2022-22748,CVE-2022-22751)It was discovered that Thunderbird ignored the configuration to require STARTTLS for an SMTP connection. A person-in-the-middle could potentially exploit this to perform a downgrade attack in order to intercept messages or take control of a session. (CVE-2021-38502)It was discovered that JavaScript was unexpectedly enabled in the composition area. An attacker could potentially exploit this in combination with another vulnerability, with unspecified impacts. (CVE-2021-43528)A buffer overflow was discovered in the Matrix chat library bundled with Thunderbird. An attacker could potentially exploit this to cause a denial of service, or execute arbitrary code. (CVE-2021-44538)It was discovered that Thunderbird's OpenPGP integration only considered the inner signed message when checking signature validity in a message that contains an additional outer MIME layer. An attacker could potentially exploit this to trick the user into thinking that a message has a valid signature. (CVE-2021-4126)
  • ubuntu-upgrade-thunderbird

  • References

    Copyright © 2021 Vulnerability Database | Cyber Details™

    thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore