Vulnerability Details : CVE-2020-6794
If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Thunderbird < 68.5.
Products affected by CVE-2020-6794
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-6794
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-6794
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2020-6794
-
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Assigned by: nvd@nist.gov (Primary)
-
The product does not properly "clean up" and remove temporary or supporting resources after they have been used.Assigned by: nvd@nist.gov (Primary)
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-6794
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1606619
1606619 - (CVE-2020-6794) key3.db encryption key remains on disk from Thunderbird 52.x (becomes issue if adding a master password post 60.x)Exploit;Issue Tracking;Patch;Vendor Advisory
-
https://www.mozilla.org/security/advisories/mfsa2020-07/
Security Vulnerabilities fixed in Thunderbird 68.5 — MozillaVendor Advisory
-
https://usn.ubuntu.com/4335-1/
USN-4335-1: Thunderbird vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://usn.ubuntu.com/4328-1/
USN-4328-1: Thunderbird vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://security.gentoo.org/glsa/202003-10
Mozilla Thunderbird: Multiple vulnerabilities (GLSA 202003-10) — Gentoo securityThird Party Advisory
Jump to