Vulnerability Details : CVE-2021-29956
OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. This vulnerability affects Thunderbird < 78.10.2.
Products affected by CVE-2021-29956
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-29956
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-29956
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2021-29956
-
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-29956
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1710290
1710290 - (CVE-2021-29956) For OpenPGP secret keys imported with Thunderbird versions 78.8.1 - 78.10.1 the master password isn't effectiveExploit;Patch;Vendor Advisory
-
https://www.mozilla.org/security/advisories/mfsa2021-22/
Security Vulnerabilities fixed in Thunderbird 78.10.2 — MozillaRelease Notes;Vendor Advisory
Jump to