Missing Encryption of Sensitive Data Affecting thunderbird package, versions <1:68.9.0-1~deb8u2


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.19% (58th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Missing Encryption of Sensitive Data vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN8-THUNDERBIRD-571633
  • published6 Jun 2020
  • disclosed9 Jul 2020

Introduced: 6 Jun 2020

CVE-2020-12398  (opens in a new tab)
CWE-311  (opens in a new tab)

How to fix?

Upgrade Debian:8 thunderbird to version 1:68.9.0-1~deb8u2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream thunderbird package and not the thunderbird package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection. This vulnerability affects Thunderbird < 68.9.0.

CVSS Scores

version 3.1